mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
9,692 Commits 2,843 Branches 445 Tags
Commit Graph

1009 Commits

Author SHA1 Message Date
Bill Monkman
64d72672ff #1486 : Fixed sealed and leader checks for consul backend 2016-06-03 16:00:31 -07:00
Jeff Mitchell
6f5fa23386 Merge pull request #1470 from hashicorp/unwrap-in-api 
Make Unwrap a first-party API command and refactor UnwrapCommand to u…
 2016-06-03 13:25:10 -04:00
Jeff Mitchell
32b4f48e66 Add a metadata node_id field for Atlas usage and fix tests 2016-06-02 18:19:51 -04:00
Jeff Mitchell
d32283ba49 Initial Atlas listener implementation 2016-06-02 14:05:47 -04:00
vishalnayak
cbf7ccb73d Prioritize dev flags over its env vars 2016-06-01 12:21:29 -04:00
vishalnayak
ff01f8f437 Address review feedback 2016-06-01 11:39:48 -04:00
vishalnayak
ea65ffd451 Supplying strictHostKeyChecking and userKnownHostsFile from env vars 2016-06-01 11:08:24 -04:00
vishalnayak
ab017967e4 Provide option to disable host key checking 2016-06-01 11:08:24 -04:00
Jeff Mitchell
6a2ad76035 Make Unwrap a first-party API command and refactor UnwrapCommand to use it 2016-05-27 21:04:30 +00:00
vishalnayak
8678c5e779 Add a non-nil check for 'port' field to be present in the response 2016-05-25 21:26:32 +00:00
Jeff Mitchell
86094cce6a Decode json.Number before handing to mapstructure 2016-05-25 19:02:31 +00:00
Jeff Mitchell
810e914730 Add unwrap test function and some robustness around paths for the wrap lookup function 2016-05-19 11:49:46 -04:00
Jeff Mitchell
0b59a54837 Add unwrap command, and change how the response is embedded (as a string, not an object) 2016-05-19 11:25:15 -04:00
Jeff Mitchell
07b86fe304 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-19 02:43:22 +00:00
Jeff Mitchell
8c3866ea16 Rename lease_duration to refresh_interval when there is no lease ID, and output ---- between header and values 2016-05-17 17:10:12 +00:00
Jeff Mitchell
b626bfa725 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell
53afa06beb Merge branch 'master-oss' into cubbyhole-the-world 2016-05-16 12:14:40 -04:00
Sean Chittenden
339c0a4127
Speling police 2016-05-15 09:58:36 -07:00
Jeff Mitchell
c104bcf959 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-12 14:59:12 -04:00
Jeff Mitchell
17d02aa46e Merge branch 'master-oss' into f-vault-service 2016-05-04 17:20:00 -04:00
Jeff Mitchell
a110f6cae6 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-04 14:42:14 -04:00
Jeff Mitchell
806119f5a1 Fix number of recovery shares output during init 2016-05-03 23:07:09 -04:00
Jeff Mitchell
4268158c82 Properly handle sigint/hup 2016-05-03 14:30:58 -04:00
Jeff Mitchell
ff4dc0b853 Add wrap support to API/CLI 2016-05-02 02:03:23 -04:00
Jeff Mitchell
b5b8ac8686 Ensure seal finalizing happens even when using verify-only 2016-04-28 14:06:05 -04:00
Sean Chittenden
eedd7f0c39 Change the interface of ServiceDiscovery 
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
 2016-04-28 11:05:18 -07:00
Sean Chittenden
455b76828f Add a *log.Logger argument to physical.Factory 
Logging in the backend is a good thing.  This is a noisy interface change but should be a functional noop.
 2016-04-25 20:10:32 -07:00
Sean Chittenden
9647f2e067 Collapse UpdateAdvertiseAddr() into RunServiceDiscovery() 2016-04-25 18:01:13 -07:00
Sean Chittenden
38a3ea3978 Disable service registration for consul HA tests 2016-04-25 18:01:13 -07:00
Sean Chittenden
3e43da258a Use spaces in tests to be consistent 
The rest of the tests here use spaces, not tabs
 2016-04-25 18:01:13 -07:00
Sean Chittenden
53dd43650e Various refactoring to clean up code organization 
Brought to you by: Dept of 2nd thoughts before pushing enter on `git push`
 2016-04-25 18:01:13 -07:00
Sean Chittenden
9a2115181b Improve error handling re: homedir expansion 
Useful if the HOME envvar is not set because `vault` was launched in a clean environment (e.g. `env -i vault ...`).
 2016-04-25 18:01:13 -07:00
Sean Chittenden
c0bbeba5ad Teach Vault how to register with Consul 
Vault will now register itself with Consul.  The active node can be found using `active.vault.service.consul`.  All standby vaults are available via `standby.vault.service.consul`.  All unsealed vaults are considered healthy and available via `vault.service.consul`.  Change in status and registration is event driven and should happen at the speed of a write to Consul (~network RTT + ~1x fsync(2)).

Healthy/active:

```
curl -X GET 'http://127.0.0.1:8500/v1/health/service/vault?pretty' && echo;
[
    {
        "Node": {
            "Node": "vm1",
            "Address": "127.0.0.1",
            "TaggedAddresses": {
                "wan": "127.0.0.1"
            },
            "CreateIndex": 3,
            "ModifyIndex": 20
        },
        "Service": {
            "ID": "vault:127.0.0.1:8200",
            "Service": "vault",
            "Tags": [
                "active"
            ],
            "Address": "127.0.0.1",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm1",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm1",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.1:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Healthy/standby:

```
[snip]
        "Service": {
            "ID": "vault:127.0.0.2:8200",
            "Service": "vault",
            "Tags": [
                "standby"
            ],
            "Address": "127.0.0.2",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Sealed:

```
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "critical",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "Vault Sealed",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 38
            }
        ]
```
 2016-04-25 18:01:13 -07:00
Sean Chittenden
bd5305e470 Stub out service discovery functionality 
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
 2016-04-25 18:00:54 -07:00
Sean Chittenden
f2dc2f636e Comment nits 2016-04-25 18:00:54 -07:00
Jeff Mitchell
4c509ba162 Change seal test name in command package 2016-04-26 00:12:14 +00:00
Jeff Mitchell
28272ca629 Merge pull request #1326 from hashicorp/sethvargo/hint_noreauth 
Hint that you don't need to run auth twice
 2016-04-25 15:43:55 -04:00
Jeff Mitchell
99772d3cff Add seal tests and update generate-root and others to handle dualseal. 2016-04-25 19:39:04 +00:00
Jeff Mitchell
b44d2c01c0 Use UseNumber() on json.Decoder to have numbers be json.Number objects 
instead of float64. This fixes some display bugs.
 2016-04-20 18:38:20 +00:00
Jeff Mitchell
28c97b4914 Change recovery options in init to be 'key'-less 2016-04-18 17:02:07 +00:00
Jeff Mitchell
e5b089de0f Add check against seal type to catch errors before we attempt to use the data 2016-04-15 18:16:48 -04:00
Sean Chittenden
bc570e74f3 Fix SIGINT handling. 
No signal handler was setup to receive SIGINT.  I didn't investigate to
see if signal(2) mask was setup (ala `SIG_IGN`) or if sigprocmask(2) is
being used, but in either case, the correct behavior is to capture and
treat SIGINT the same as SIGTERM.  At some point in the future these two
signals may affect the running process differently, but we will clarify
that difference in the future.
 2016-04-15 10:03:22 -07:00
Jeff Mitchell
94d6b3ce94 Add Finalize method to seal. 2016-04-14 20:37:34 +00:00
vishalnayak
e53b9dbadb Provide clarity for output statements of idempotent calls. 2016-04-14 15:46:45 +00:00
vishalnayak
691052c3f4 Clarify token-revoke operation 2016-04-14 15:34:01 +00:00
Seth Vargo
f170066c19
Clarify delete operation 
One thing that has been a point of confusion for users is Vault's
response when deleting a key that does not actually exist in the system.
For example, consider:

    $ vault delete secret/foo
    Success! Deleted 'secret/foo'

This message is misleading if the secret does not exist, especially if
the same command is run twice in a row.

Obviously the reason for this is clear - returning an error if a secret
does not exist would reveal the existence of a secret (the same reason
everything on S3 is a 403 or why GitHub repos 404 instead of 403 if you
do not have permission to view them).

I think we can make the UX a little bit better by adding just a few
words to the output:

    $ vault delete secret/foo
    Success! Deleted 'secret/foo' if it existed

This makes it clear that the operation was only performed if the secret
existed, but it does not reveal any more information.
 2016-04-14 10:38:10 +01:00
Jeff Mitchell
d273a051c7 Check for seal status when initing and change logic order to avoid defer 2016-04-14 01:13:59 +00:00
Seth Vargo
716f780cf1 Hint that you don't need to run auth twice 
This came up twice, in two different training courses. The UX is a
little confusing here on the CLI. Users are used to running:

    $ vault auth abcd-1234...

So when they auth using a method, the output leads them to believe the
need to "re-auth" as the generated token:

    $ vault auth -method=userpass username=foo password=bar
    Successfully authenticated!
    token: defg-5678...

A number of users then run:

    $ vault auth defg-5678

I've added some helpful text to hint this is not required if the method
is not "token".
 2016-04-13 19:45:48 +01:00
Jeff Mitchell
74826c25ca Fix panic when using -field with read or write with a non-string value. 
Fixes #1308
 2016-04-07 22:16:33 +00:00
Sean Chittenden
ffe34bf375 Reinstall the mlockall(2) command 
Requested by: jefferai
 2016-04-05 13:58:26 -07:00