* add foundation to allow enterprise edition to walk up from current namespace to root
* add sys/internal/ui/*-messages paths
* add tests for consume custom messages endpoints
* more tests and change structure of link parameter
* add error when multiple links are provided for a custom message
* Fix UI when editing database roles
When using a database role the UI will try to update the database connection
associated to the role. This is to make sure that the role is allowed to
use this connection:
async _updateAllowedRoles(store, { role, backend, db, type = 'add' }) {
const connection = await store.queryRecord('database/connection', { backend, id: db });
const roles = [...connection.allowed_roles];
const allowedRoles = type === 'add' ? addToArray([roles, role]) : removeFromArray([roles, role]);
connection.allowed_roles = allowedRoles;
return connection.save();
},
async createRecord(store, type, snapshot) {
const serializer = store.serializerFor(type.modelName);
const data = serializer.serialize(snapshot);
const roleType = snapshot.attr('type');
const backend = snapshot.attr('backend');
const id = snapshot.attr('name');
const db = snapshot.attr('database');
try {
await this._updateAllowedRoles(store, {
role: id,
backend,
db: db[0],
});
} catch (e) {
throw new Error('Could not update allowed roles for selected database. Check Vault logs for details');
}
return this.ajax(this.urlFor(backend, id, roleType), 'POST', { data }).then(() => {
// ember data doesn't like 204s if it's not a DELETE
return {
data: assign({}, data, { id }),
};
});
},
This is intended to help the administrator as the role will only work if
it is allowed by the database connection.
This is however an issue if the person doing the update does not have
the permission to update the connection: they will not be able to use
the UI to update the role even though they have the appropriate permissions
to do so (using the CLI or the API will work for example).
This is often the case when the database connections are created by a
centralized system but a human operator needs to create the roles.
You can try this with the following test case:
$ cat main.tf
resource "vault_auth_backend" "userpass" {
type = "userpass"
}
resource "vault_generic_endpoint" "alice" {
depends_on = [vault_auth_backend.userpass]
path = "auth/userpass/users/alice"
ignore_absent_fields = true
data_json = jsonencode({
"policies" : ["root"],
"password" : "alice"
})
}
data "vault_policy_document" "db_admin" {
rule {
path = "database/roles/*"
capabilities = ["create", "read", "update", "delete", "list"]
}
}
resource "vault_policy" "db_admin" {
name = "db-admin"
policy = data.vault_policy_document.db_admin.hcl
}
resource "vault_generic_endpoint" "bob" {
depends_on = [vault_auth_backend.userpass]
path = "auth/userpass/users/bob"
ignore_absent_fields = true
data_json = jsonencode({
"policies" : [vault_policy.db_admin.name],
"password" : "bob"
})
}
resource "vault_mount" "db" {
path = "database"
type = "database"
}
resource "vault_database_secret_backend_connection" "postgres" {
backend = vault_mount.db.path
name = "postgres"
allowed_roles = ["*"]
verify_connection = false
postgresql {
connection_url = "postgres://username:password@localhost/database"
}
}
$ terraform apply --auto-approve
then using bob to create a role associated to the `postgres` connection.
This patch changes the way the UI does the update: it still tries to
update the database connection but if it fails to do so because it does not
have the permission it just silently skip this part and updates the role.
This also update the error message returned to the user in case of issues
to include the actual errors.
* Add changelog
* Also ignore error when deleting a role
* Address code review comments
---------
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* update header to refer to destination name
* teeny design improvements VAULT-22943
* update azure model attrs
* remove padding, add destination type to description VAULT-22930 VAULT-22943
* fix overview popupmenu nav to sync secrets VAULT-22944
* update sync banner, hyperlink secret
* redirect when all destinations are deleted VAULT-22945
* add keyVaultUri to credentials for editing
* fix extra space and test for sync banner
* use localName to get dynamic route section to fix pagination transition error
* add copy header remove duplicate app type
* add cloud param to azure mirage destination
* add comments
* enter line
* conditionally render view synced secrets button
* revert pagination route change
* combine buttons and add logic for args
* rename to route
* remove model arg
I have an upcoming PR for event notifications that needs similar
exponential backoff logic, and I prefer the API and logic in the
auto-auth exponential backoff rather than that of
github.com/cenkalti/backoff/v3.
This does have a small behavior change: the auto-auth min backoff
will now be randomly reduced by up to 25% on the first call. This is
a desirable property to avoid thundering herd problems, where a bunch
of agents won't all try have the same retry timeout.
* include all destomatopm types in list filter VAULT-22916
* move refresh list and clear dataset to finally VAULT-22917
* make empty state link prettier;
* update empty state message to show display name
* update tests
* wrap create destination CTA in enterprise conditional
* include link in p tag
* Update audit.mdx
Per the discussion here: https://hashicorp.enterprise.slack.com/archives/CPEPB6WRL/p1656678311708759
This parameter does not apply to DR replication.
This document should specify that the `local` parameter only applies to performance replication because even with this enabled the audit device configuration is still replicated to a DR cluster. This is also the expected and desired behavior.
* Fixed typos
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* make end_time, type, and authenticated optional parameters
authenticated will default to true
type will default to banner
end_time will be nil if not provided meaning it remains active forever
* improve method names
* add some go docs for functions that don't have any
---------
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
