scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 19:17:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make reception of an empty valid principals configurable based on a role flag. (#28466)

Browse Source 
* Make reception of an empty valid principals configurable based on a role flag.

Adds allow_empty_principals, which if true allows valid_principals on credential generation calls
to be empty.

* changelog

* Allow empty principals on unrelated unit test

* whitespace
This commit is contained in:
Scott Miller
2024-09-23 17:20:11 -05:00
committed by GitHub
parent 2e6ba29f5b
commit 12f03b073a
7 changed files with 133 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
website/content/api-docs/secret/ssh.mdx
View File

@@ -171,6 +171,10 @@ This endpoint creates or updates a named role.
~> **Note**: In FIPS 140-2 mode, the following algorithms are not certified
and thus should not be used: `ed25519`.
- `allow_empty_principals` `(bool: false)` - Allow signing certificates with
no valid principals (e.g. any valid principal). For backwards
compatibility only. The default of false is highly recommended.
- `algorithm_signer` `(string: "default")` - Algorithm to sign keys with. Valid
values are `ssh-rsa`, `rsa-sha2-256`, `rsa-sha2-512`, or `default`. This
value may also be left blank to use the signer's default algorithm, and must
@@ -190,6 +194,10 @@ This endpoint creates or updates a named role.
- `not_before_duration` `(duration: "30s")`  Specifies the duration by which to
backdate the `ValidAfter` property. Uses [duration format strings](/vault/docs/concepts/duration-format).
- `allow_empty_principals` `(bool: false)` - If true, allows certificates
to be issued against all principals. Highly recommended to use the default of
false.
### Sample payload
```json
@@ -744,7 +752,8 @@ parameters of the issued certificate can be further customized in this API call.
set.
- `valid_principals` `(string: "")`  Specifies valid principals, either
usernames or hostnames, that the certificate should be signed for.
usernames or hostnames, that the certificate should be signed for. Required
unless the role has specified allow_empty_principals.
- `cert_type` `(string: "user")`  Specifies the type of certificate to be
created; either "user" or "host".
@@ -830,7 +839,8 @@ parameters of the issued certificate can be further customized in this API call.
set.
- `valid_principals` `(string: "")` Specifies valid principals, either
usernames or hostnames, that the certificate should be signed for.
usernames or hostnames, that the certificate should be signed for. Required
unless the role has specified allow_empty_principals.
- `cert_type` `(string: "user")` Specifies the type of certificate to be
created; either "user" or "host".
@@ -926,4 +936,4 @@ $ curl \
"warnings": null,
"auth": null
}
```
```