Vault 1979: Query API for Irrevocable Leases (#11607)

* build out lease count (not fully working), start lease list * build out irrevocable lease list * bookkeeping * test irrevocable lease counts for API/CLI * fix listIrrevocableLeases, test listIrrevocableLeases, cleanup * test expiration API limit * namespace tweaks, test force flag on lease list * integration test leases/count API, plenty of fixes and improvements * test lease list API, fixes and improvements * test force flag for irrevocable lease list API * i guess this wasn't saved on the last refactor... * fixes and improvements found during my review * better test error msg * Update vault/logical_system_paths.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Update vault/logical_system_paths.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * return warning with data if more than default leases to list without force flag * make api doc more generalized * list leases in general, not by mount point * change force flag to include_large_results * sort leases by LeaseID for consistent API response * switch from bool flag for API limit to string value * sort first by leaseID, then stable sort by expiration * move some utils to be in oss and ent * improve sort efficiency for API response Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2025-11-02 03:27:54 +00:00 · 2021-06-02 10:11:30 -06:00
parent f7ac6bb97f
commit b56a109e4c
9 changed files with 1028 additions and 12 deletions
--- a/website/content/api-docs/system/leases.mdx
+++ b/website/content/api-docs/system/leases.mdx
@@ -243,3 +243,68 @@ $ curl \
    --request POST \
    http://127.0.0.1:8200/v1/sys/leases/tidy
 ```
+
+## Lease Counts
+
+This endpoint returns the total count of a `type` of lease, as well as a count
+per mount point. Note that it currently only supports type "irrevocable".
+
+This can help determine if particular endpoints are disproportionately
+resulting in irrevocable leases.
+
+This endpoint was added in Vault 1.8.
+
+### Parameters
+
+- `type` (string: <required>) - Specifies the type of lease.
+- `include_child_namespaces` (bool: false) - Specifies if leases in child
+    namespaces should be included in the result.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/sys/leases/count`|
+
+### Sample Request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/leases/count \
+    -d type=irrevocable
+```
+
+## Leases List
+
+This endpoint returns the total count of a `type` of lease, as well as a list
+of leases per mount point. Note that it currently only supports type
+"irrevocable".
+
+This can help determine if particular endpoints or causes are disproportionately
+resulting in irrevocable leases.
+
+This endpoint was added in Vault 1.8.
+
+### Parameters
+
+- `type` (string: <required>) - Specifies the type of lease.
+- `include_child_namespaces` (bool: false) - Specifies if leases in child
+   namespaces should be included in the result
+- `limit` (string: "") - Specifies the maximum number of leases to return in a
+   request. To return all results, set to `none`. If not set, this API will
+   return a maximum of 10,000 leases. If not set to `none` and there exist more
+   leases than `limit`, the response will include a warning.
+
+| Method | Path          |
+| :----- | :------------ |
+| `GET`  | `/sys/leases` |
+
+### Sample Request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request GET \
+    http://127.0.0.1:8200/v1/sys/leases \
+    -d type=irrevocable
+```