From 73b007d75c5118b90f0612fcf55e94c8b2760651 Mon Sep 17 00:00:00 2001 From: divyapola5 Date: Tue, 23 Nov 2021 12:43:26 -0600 Subject: [PATCH 1/6] CLI changes for new mount tune config parameter allowed_managed_keys --- command/auth_enable.go | 12 ++++++++++++ command/auth_enable_test.go | 4 ++++ command/auth_tune.go | 12 ++++++++++++ command/auth_tune_test.go | 4 ++++ command/commands.go | 2 ++ command/secrets_enable.go | 12 ++++++++++++ command/secrets_enable_test.go | 4 ++++ command/secrets_tune.go | 12 ++++++++++++ command/secrets_tune_test.go | 4 ++++ website/content/docs/commands/auth/enable.mdx | 4 ++++ website/content/docs/commands/auth/tune.mdx | 4 ++++ website/content/docs/commands/secrets/enable.mdx | 4 ++++ website/content/docs/commands/secrets/tune.mdx | 6 +++++- 13 files changed, 83 insertions(+), 1 deletion(-) diff --git a/command/auth_enable.go b/command/auth_enable.go index eb12589c4417..fd749ff7300b 100644 --- a/command/auth_enable.go +++ b/command/auth_enable.go @@ -37,6 +37,7 @@ type AuthEnableCommand struct { flagExternalEntropyAccess bool flagTokenType string flagVersion int + flagAllowedManagedKeys []string } func (c *AuthEnableCommand) Synopsis() string { @@ -199,6 +200,13 @@ func (c *AuthEnableCommand) Flags() *FlagSets { Usage: "Select the version of the auth method to run. Not supported by all auth methods.", }) + f.StringSliceVar(&StringSliceVar{ + Name: flagNameAllowedManagedKeys, + Target: &c.flagAllowedManagedKeys, + Usage: "Comma-separated string or list of keys that will not be HMAC'd by audit " + + "devices in the request data object.", + }) + return set } @@ -298,6 +306,10 @@ func (c *AuthEnableCommand) Run(args []string) int { if fl.Name == flagNameTokenType { authOpts.Config.TokenType = c.flagTokenType } + + if fl.Name == flagNameAllowedManagedKeys { + authOpts.Config.AllowedManagedKeys = c.flagAllowedManagedKeys + } }) if err := client.Sys().EnableAuthWithOptions(authPath, authOpts); err != nil { diff --git a/command/auth_enable_test.go b/command/auth_enable_test.go index 0cc125fc9756..34affc91cb0a 100644 --- a/command/auth_enable_test.go +++ b/command/auth_enable_test.go @@ -92,6 +92,7 @@ func TestAuthEnableCommand_Run(t *testing.T) { "-passthrough-request-headers", "authorization,authentication", "-passthrough-request-headers", "www-authentication", "-allowed-response-headers", "authorization", + "-allowed-managed-keys", "key1,key2", "-listing-visibility", "unauth", "userpass", }) @@ -132,6 +133,9 @@ func TestAuthEnableCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } + if diff := deep.Equal([]string{"key1,key2"}, authInfo.Config.AllowedManagedKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) + } }) t.Run("communication_failure", func(t *testing.T) { diff --git a/command/auth_tune.go b/command/auth_tune.go index a3ad65579cdc..7bd30169d154 100644 --- a/command/auth_tune.go +++ b/command/auth_tune.go @@ -31,6 +31,7 @@ type AuthTuneCommand struct { flagOptions map[string]string flagTokenType string flagVersion int + flagAllowedManagedKeys []string } func (c *AuthTuneCommand) Synopsis() string { @@ -144,6 +145,13 @@ func (c *AuthTuneCommand) Flags() *FlagSets { Usage: "Select the version of the auth method to run. Not supported by all auth methods.", }) + f.StringSliceVar(&StringSliceVar{ + Name: flagNameAllowedManagedKeys, + Target: &c.flagAllowedManagedKeys, + Usage: "Comma-separated string or list of keys that will not be HMAC'd by audit " + + "devices in the request data object.", + }) + return set } @@ -221,6 +229,10 @@ func (c *AuthTuneCommand) Run(args []string) int { if fl.Name == flagNameTokenType { mountConfigInput.TokenType = c.flagTokenType } + + if fl.Name == flagNameAllowedManagedKeys { + mountConfigInput.AllowedManagedKeys = c.flagAllowedManagedKeys + } }) // Append /auth (since that's where auths live) and a trailing slash to diff --git a/command/auth_tune_test.go b/command/auth_tune_test.go index 227330ea774e..782bce2ed605 100644 --- a/command/auth_tune_test.go +++ b/command/auth_tune_test.go @@ -96,6 +96,7 @@ func TestAuthTuneCommand_Run(t *testing.T) { "-passthrough-request-headers", "authorization", "-passthrough-request-headers", "www-authentication", "-allowed-response-headers", "authorization,www-authentication", + "-allowed-managed-keys", "key1,key2", "-listing-visibility", "unauth", "my-auth/", }) @@ -142,6 +143,9 @@ func TestAuthTuneCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } + if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) + } }) t.Run("flags_description", func(t *testing.T) { diff --git a/command/commands.go b/command/commands.go index dc08c4a74675..5e19c45fffca 100644 --- a/command/commands.go +++ b/command/commands.go @@ -116,6 +116,8 @@ const ( flagNameAllowedResponseHeaders = "allowed-response-headers" // flagNameTokenType is the flag name used to force a specific token type flagNameTokenType = "token-type" + // flagNameAllowedManagedKeys is the flag name used for auth/secrets enable + flagNameAllowedManagedKeys = "allowed-managed-keys" ) var ( diff --git a/command/secrets_enable.go b/command/secrets_enable.go index cb4671ba3943..f4faedaca763 100644 --- a/command/secrets_enable.go +++ b/command/secrets_enable.go @@ -37,6 +37,7 @@ type SecretsEnableCommand struct { flagSealWrap bool flagExternalEntropyAccess bool flagVersion int + flagAllowedManagedKeys []string } func (c *SecretsEnableCommand) Synopsis() string { @@ -209,6 +210,13 @@ func (c *SecretsEnableCommand) Flags() *FlagSets { Usage: "Select the version of the engine to run. Not supported by all engines.", }) + f.StringSliceVar(&StringSliceVar{ + Name: flagNameAllowedManagedKeys, + Target: &c.flagAllowedManagedKeys, + Usage: "Comma-separated string or list of keys that will not be HMAC'd by audit " + + "devices in the request data object.", + }) + return set } @@ -307,6 +315,10 @@ func (c *SecretsEnableCommand) Run(args []string) int { if fl.Name == flagNameAllowedResponseHeaders { mountInput.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders } + + if fl.Name == flagNameAllowedManagedKeys { + mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys + } }) if err := client.Sys().Mount(mountPath, mountInput); err != nil { diff --git a/command/secrets_enable_test.go b/command/secrets_enable_test.go index bcc581a4e108..f5a54a8cc8da 100644 --- a/command/secrets_enable_test.go +++ b/command/secrets_enable_test.go @@ -113,6 +113,7 @@ func TestSecretsEnableCommand_Run(t *testing.T) { "-passthrough-request-headers", "authorization,authentication", "-passthrough-request-headers", "www-authentication", "-allowed-response-headers", "authorization", + "-allowed-managed-keys", "key1,key2", "-force-no-cache", "pki", }) @@ -162,6 +163,9 @@ func TestSecretsEnableCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } + if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) + } }) diff --git a/command/secrets_tune.go b/command/secrets_tune.go index a7883a618cd0..688e8d1710c3 100644 --- a/command/secrets_tune.go +++ b/command/secrets_tune.go @@ -30,6 +30,7 @@ type SecretsTuneCommand struct { flagAllowedResponseHeaders []string flagOptions map[string]string flagVersion int + flagAllowedManagedKeys []string } func (c *SecretsTuneCommand) Synopsis() string { @@ -137,6 +138,13 @@ func (c *SecretsTuneCommand) Flags() *FlagSets { Usage: "Select the version of the engine to run. Not supported by all engines.", }) + f.StringSliceVar(&StringSliceVar{ + Name: flagNameAllowedManagedKeys, + Target: &c.flagAllowedManagedKeys, + Usage: "Comma-separated string or list of keys that will not be HMAC'd by audit " + + "devices in the request data object.", + }) + return set } @@ -213,6 +221,10 @@ func (c *SecretsTuneCommand) Run(args []string) int { if fl.Name == flagNameAllowedResponseHeaders { mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders } + + if fl.Name == flagNameAllowedManagedKeys { + mountConfigInput.AllowedManagedKeys = c.flagAllowedManagedKeys + } }) if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil { diff --git a/command/secrets_tune_test.go b/command/secrets_tune_test.go index de732873790e..f51b8fb34b78 100644 --- a/command/secrets_tune_test.go +++ b/command/secrets_tune_test.go @@ -170,6 +170,7 @@ func TestSecretsTuneCommand_Run(t *testing.T) { "-passthrough-request-headers", "authorization", "-passthrough-request-headers", "www-authentication", "-allowed-response-headers", "authorization,www-authentication", + "-allowed-managed-keys", "key1,key2", "-listing-visibility", "unauth", "mount_tune_integration/", }) @@ -216,6 +217,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } + if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) + } }) t.Run("flags_description", func(t *testing.T) { diff --git a/website/content/docs/commands/auth/enable.mdx b/website/content/docs/commands/auth/enable.mdx index 7704c7bb9a3a..33169f1ca4da 100644 --- a/website/content/docs/commands/auth/enable.mdx +++ b/website/content/docs/commands/auth/enable.mdx @@ -83,3 +83,7 @@ flags](/docs/commands) included on all commands. - `-seal-wrap` `(bool: false)` - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability. + +- `-allowed-managed-keys` `(string: "")` - Managed key registry entry name + that the mount in question is allowed to access. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. diff --git a/website/content/docs/commands/auth/tune.mdx b/website/content/docs/commands/auth/tune.mdx index 6383ec108ca1..ad4c71308b31 100644 --- a/website/content/docs/commands/auth/tune.mdx +++ b/website/content/docs/commands/auth/tune.mdx @@ -83,3 +83,7 @@ flags](/docs/commands) included on all commands. - `-token-type` `(string: "")` - Specifies the type of tokens that should be returned by the auth method. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. + +- `-allowed-managed-keys` `(string: "")` - Managed key registry entry name + that the mount in question is allowed to access. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. diff --git a/website/content/docs/commands/secrets/enable.mdx b/website/content/docs/commands/secrets/enable.mdx index ec8258b1270c..032069602a30 100644 --- a/website/content/docs/commands/secrets/enable.mdx +++ b/website/content/docs/commands/secrets/enable.mdx @@ -98,3 +98,7 @@ flags](/docs/commands) included on all commands. - `-allowed-response-headers` `(string: "")` - response header values that the secrets engine will be allowed to set. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. + +- `-allowed-managed-keys` `(string: "")` - Managed key registry entry name + that the mount in question is allowed to access. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index 96679d1e113c..c8afd8d417d3 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -2,7 +2,7 @@ layout: docs page_title: secrets tune - Command description: |- - The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH. + The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH. --- # secrets tune @@ -86,3 +86,7 @@ flags](/docs/commands) included on all commands. - `-passthrough-request-headers` `(string: "")` - request header values that will be sent to the secrets engine. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. + +- `-allowed-managed-keys` `(string: "")` - Managed key registry entry name + that the mount in question is allowed to access. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. From 637314788a3526b667a6cc868d4058e67ad8ce19 Mon Sep 17 00:00:00 2001 From: divyapola5 Date: Tue, 23 Nov 2021 12:47:23 -0600 Subject: [PATCH 2/6] Correct allowed_managed_keys description in auth and secrets --- command/auth_enable.go | 4 ++-- command/auth_tune.go | 4 ++-- command/secrets_enable.go | 4 ++-- command/secrets_tune.go | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/command/auth_enable.go b/command/auth_enable.go index fd749ff7300b..ef50850361ad 100644 --- a/command/auth_enable.go +++ b/command/auth_enable.go @@ -203,8 +203,8 @@ func (c *AuthEnableCommand) Flags() *FlagSets { f.StringSliceVar(&StringSliceVar{ Name: flagNameAllowedManagedKeys, Target: &c.flagAllowedManagedKeys, - Usage: "Comma-separated string or list of keys that will not be HMAC'd by audit " + - "devices in the request data object.", + Usage: "Comma-separated string or list of managed key registry entry names" + + "that the mount in question is allowed to access ", }) return set diff --git a/command/auth_tune.go b/command/auth_tune.go index 7bd30169d154..074d6dd46169 100644 --- a/command/auth_tune.go +++ b/command/auth_tune.go @@ -148,8 +148,8 @@ func (c *AuthTuneCommand) Flags() *FlagSets { f.StringSliceVar(&StringSliceVar{ Name: flagNameAllowedManagedKeys, Target: &c.flagAllowedManagedKeys, - Usage: "Comma-separated string or list of keys that will not be HMAC'd by audit " + - "devices in the request data object.", + Usage: "Comma-separated string or list of managed key registry entry names" + + "that the mount in question is allowed to access ", }) return set diff --git a/command/secrets_enable.go b/command/secrets_enable.go index f4faedaca763..f107349215de 100644 --- a/command/secrets_enable.go +++ b/command/secrets_enable.go @@ -213,8 +213,8 @@ func (c *SecretsEnableCommand) Flags() *FlagSets { f.StringSliceVar(&StringSliceVar{ Name: flagNameAllowedManagedKeys, Target: &c.flagAllowedManagedKeys, - Usage: "Comma-separated string or list of keys that will not be HMAC'd by audit " + - "devices in the request data object.", + Usage: "Comma-separated string or list of managed key registry entry names" + + "that the mount in question is allowed to access ", }) return set diff --git a/command/secrets_tune.go b/command/secrets_tune.go index 688e8d1710c3..b6e622571ff3 100644 --- a/command/secrets_tune.go +++ b/command/secrets_tune.go @@ -141,8 +141,8 @@ func (c *SecretsTuneCommand) Flags() *FlagSets { f.StringSliceVar(&StringSliceVar{ Name: flagNameAllowedManagedKeys, Target: &c.flagAllowedManagedKeys, - Usage: "Comma-separated string or list of keys that will not be HMAC'd by audit " + - "devices in the request data object.", + Usage: "Comma-separated string or list of managed key registry entry names" + + "that the mount in question is allowed to access ", }) return set From 869604aaf2774f5834b38337c23c87417a1c0c2b Mon Sep 17 00:00:00 2001 From: divyapola5 Date: Mon, 6 Dec 2021 12:16:12 -0600 Subject: [PATCH 3/6] Documentation update for secrets and removed changes for auth --- command/auth_enable.go | 12 ------------ command/auth_enable_test.go | 4 ---- command/auth_tune.go | 12 ------------ command/auth_tune_test.go | 4 ---- command/secrets_enable.go | 5 +++-- command/secrets_tune.go | 5 +++-- 6 files changed, 6 insertions(+), 36 deletions(-) diff --git a/command/auth_enable.go b/command/auth_enable.go index ef50850361ad..eb12589c4417 100644 --- a/command/auth_enable.go +++ b/command/auth_enable.go @@ -37,7 +37,6 @@ type AuthEnableCommand struct { flagExternalEntropyAccess bool flagTokenType string flagVersion int - flagAllowedManagedKeys []string } func (c *AuthEnableCommand) Synopsis() string { @@ -200,13 +199,6 @@ func (c *AuthEnableCommand) Flags() *FlagSets { Usage: "Select the version of the auth method to run. Not supported by all auth methods.", }) - f.StringSliceVar(&StringSliceVar{ - Name: flagNameAllowedManagedKeys, - Target: &c.flagAllowedManagedKeys, - Usage: "Comma-separated string or list of managed key registry entry names" + - "that the mount in question is allowed to access ", - }) - return set } @@ -306,10 +298,6 @@ func (c *AuthEnableCommand) Run(args []string) int { if fl.Name == flagNameTokenType { authOpts.Config.TokenType = c.flagTokenType } - - if fl.Name == flagNameAllowedManagedKeys { - authOpts.Config.AllowedManagedKeys = c.flagAllowedManagedKeys - } }) if err := client.Sys().EnableAuthWithOptions(authPath, authOpts); err != nil { diff --git a/command/auth_enable_test.go b/command/auth_enable_test.go index 34affc91cb0a..0cc125fc9756 100644 --- a/command/auth_enable_test.go +++ b/command/auth_enable_test.go @@ -92,7 +92,6 @@ func TestAuthEnableCommand_Run(t *testing.T) { "-passthrough-request-headers", "authorization,authentication", "-passthrough-request-headers", "www-authentication", "-allowed-response-headers", "authorization", - "-allowed-managed-keys", "key1,key2", "-listing-visibility", "unauth", "userpass", }) @@ -133,9 +132,6 @@ func TestAuthEnableCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } - if diff := deep.Equal([]string{"key1,key2"}, authInfo.Config.AllowedManagedKeys); len(diff) > 0 { - t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) - } }) t.Run("communication_failure", func(t *testing.T) { diff --git a/command/auth_tune.go b/command/auth_tune.go index 074d6dd46169..a3ad65579cdc 100644 --- a/command/auth_tune.go +++ b/command/auth_tune.go @@ -31,7 +31,6 @@ type AuthTuneCommand struct { flagOptions map[string]string flagTokenType string flagVersion int - flagAllowedManagedKeys []string } func (c *AuthTuneCommand) Synopsis() string { @@ -145,13 +144,6 @@ func (c *AuthTuneCommand) Flags() *FlagSets { Usage: "Select the version of the auth method to run. Not supported by all auth methods.", }) - f.StringSliceVar(&StringSliceVar{ - Name: flagNameAllowedManagedKeys, - Target: &c.flagAllowedManagedKeys, - Usage: "Comma-separated string or list of managed key registry entry names" + - "that the mount in question is allowed to access ", - }) - return set } @@ -229,10 +221,6 @@ func (c *AuthTuneCommand) Run(args []string) int { if fl.Name == flagNameTokenType { mountConfigInput.TokenType = c.flagTokenType } - - if fl.Name == flagNameAllowedManagedKeys { - mountConfigInput.AllowedManagedKeys = c.flagAllowedManagedKeys - } }) // Append /auth (since that's where auths live) and a trailing slash to diff --git a/command/auth_tune_test.go b/command/auth_tune_test.go index 782bce2ed605..227330ea774e 100644 --- a/command/auth_tune_test.go +++ b/command/auth_tune_test.go @@ -96,7 +96,6 @@ func TestAuthTuneCommand_Run(t *testing.T) { "-passthrough-request-headers", "authorization", "-passthrough-request-headers", "www-authentication", "-allowed-response-headers", "authorization,www-authentication", - "-allowed-managed-keys", "key1,key2", "-listing-visibility", "unauth", "my-auth/", }) @@ -143,9 +142,6 @@ func TestAuthTuneCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } - if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 { - t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) - } }) t.Run("flags_description", func(t *testing.T) { diff --git a/command/secrets_enable.go b/command/secrets_enable.go index f107349215de..5373fd70e556 100644 --- a/command/secrets_enable.go +++ b/command/secrets_enable.go @@ -213,8 +213,9 @@ func (c *SecretsEnableCommand) Flags() *FlagSets { f.StringSliceVar(&StringSliceVar{ Name: flagNameAllowedManagedKeys, Target: &c.flagAllowedManagedKeys, - Usage: "Comma-separated string or list of managed key registry entry names" + - "that the mount in question is allowed to access ", + Usage: "Managed key registry entry name that the mount in question is allowed" + + "to access. Note that multiple keys may be specified by providing this option" + + "multiple times, each time with 1 key.", }) return set diff --git a/command/secrets_tune.go b/command/secrets_tune.go index b6e622571ff3..955e5c00da5e 100644 --- a/command/secrets_tune.go +++ b/command/secrets_tune.go @@ -141,8 +141,9 @@ func (c *SecretsTuneCommand) Flags() *FlagSets { f.StringSliceVar(&StringSliceVar{ Name: flagNameAllowedManagedKeys, Target: &c.flagAllowedManagedKeys, - Usage: "Comma-separated string or list of managed key registry entry names" + - "that the mount in question is allowed to access ", + Usage: "Managed key registry entry name that the mount in question is allowed" + + "to access. Note that multiple keys may be specified by providing this option" + + "multiple times, each time with 1 key.", }) return set From ae559a1e747600c94b5bd7ccbb67ceed2351ca61 Mon Sep 17 00:00:00 2001 From: divyapola5 Date: Mon, 6 Dec 2021 12:24:21 -0600 Subject: [PATCH 4/6] Add changelog and remove documentation changes for auth --- changelog/13255.txt | 3 +++ website/content/docs/commands/auth/enable.mdx | 4 ---- website/content/docs/commands/auth/tune.mdx | 4 ---- 3 files changed, 3 insertions(+), 8 deletions(-) create mode 100644 changelog/13255.txt diff --git a/changelog/13255.txt b/changelog/13255.txt new file mode 100644 index 000000000000..34d5d1375f37 --- /dev/null +++ b/changelog/13255.txt @@ -0,0 +1,3 @@ +```release-note:feature +secrets enable, secrets tune: Add `allowed_managed_keys` field which is a list of managed key registry entry names that the mount in question is allowed to access. +``` \ No newline at end of file diff --git a/website/content/docs/commands/auth/enable.mdx b/website/content/docs/commands/auth/enable.mdx index 33169f1ca4da..7704c7bb9a3a 100644 --- a/website/content/docs/commands/auth/enable.mdx +++ b/website/content/docs/commands/auth/enable.mdx @@ -83,7 +83,3 @@ flags](/docs/commands) included on all commands. - `-seal-wrap` `(bool: false)` - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability. - -- `-allowed-managed-keys` `(string: "")` - Managed key registry entry name - that the mount in question is allowed to access. Note that multiple keys may be - specified by providing this option multiple times, each time with 1 key. diff --git a/website/content/docs/commands/auth/tune.mdx b/website/content/docs/commands/auth/tune.mdx index ad4c71308b31..6383ec108ca1 100644 --- a/website/content/docs/commands/auth/tune.mdx +++ b/website/content/docs/commands/auth/tune.mdx @@ -83,7 +83,3 @@ flags](/docs/commands) included on all commands. - `-token-type` `(string: "")` - Specifies the type of tokens that should be returned by the auth method. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. - -- `-allowed-managed-keys` `(string: "")` - Managed key registry entry name - that the mount in question is allowed to access. Note that multiple keys may be - specified by providing this option multiple times, each time with 1 key. From e80360e497360caefbf967966c3acf12bcd4d348 Mon Sep 17 00:00:00 2001 From: divyapola5 Date: Mon, 6 Dec 2021 15:39:13 -0600 Subject: [PATCH 5/6] removed changelog --- changelog/13255.txt | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 changelog/13255.txt diff --git a/changelog/13255.txt b/changelog/13255.txt deleted file mode 100644 index 34d5d1375f37..000000000000 --- a/changelog/13255.txt +++ /dev/null @@ -1,3 +0,0 @@ -```release-note:feature -secrets enable, secrets tune: Add `allowed_managed_keys` field which is a list of managed key registry entry names that the mount in question is allowed to access. -``` \ No newline at end of file From bbdfc5edc3e139ff43ca6b1fbfa5116f555853a4 Mon Sep 17 00:00:00 2001 From: divyapola5 Date: Tue, 7 Dec 2021 15:56:17 -0600 Subject: [PATCH 6/6] Correct the field description --- command/secrets_enable.go | 7 ++++--- command/secrets_tune.go | 7 ++++--- website/content/docs/commands/secrets/enable.mdx | 7 ++++--- website/content/docs/commands/secrets/tune.mdx | 7 ++++--- 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/command/secrets_enable.go b/command/secrets_enable.go index 5373fd70e556..72b7b89b5585 100644 --- a/command/secrets_enable.go +++ b/command/secrets_enable.go @@ -213,9 +213,10 @@ func (c *SecretsEnableCommand) Flags() *FlagSets { f.StringSliceVar(&StringSliceVar{ Name: flagNameAllowedManagedKeys, Target: &c.flagAllowedManagedKeys, - Usage: "Managed key registry entry name that the mount in question is allowed" + - "to access. Note that multiple keys may be specified by providing this option" + - "multiple times, each time with 1 key.", + Usage: "Managed key name(s) that the mount in question is allowed to access. " + + "Note that multiple keys may be specified either by providing the key names " + + "as a comma separated string or by providing this option multiple times, " + + "each time with 1 key.", }) return set diff --git a/command/secrets_tune.go b/command/secrets_tune.go index 955e5c00da5e..3e20367ea6e0 100644 --- a/command/secrets_tune.go +++ b/command/secrets_tune.go @@ -141,9 +141,10 @@ func (c *SecretsTuneCommand) Flags() *FlagSets { f.StringSliceVar(&StringSliceVar{ Name: flagNameAllowedManagedKeys, Target: &c.flagAllowedManagedKeys, - Usage: "Managed key registry entry name that the mount in question is allowed" + - "to access. Note that multiple keys may be specified by providing this option" + - "multiple times, each time with 1 key.", + Usage: "Managed key name(s) that the mount in question is allowed to access. " + + "Note that multiple keys may be specified either by providing the key names " + + "as a comma separated string or by providing this option multiple times, " + + "each time with 1 key.", }) return set diff --git a/website/content/docs/commands/secrets/enable.mdx b/website/content/docs/commands/secrets/enable.mdx index 032069602a30..08ccd102dd6b 100644 --- a/website/content/docs/commands/secrets/enable.mdx +++ b/website/content/docs/commands/secrets/enable.mdx @@ -99,6 +99,7 @@ flags](/docs/commands) included on all commands. engine will be allowed to set. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. -- `-allowed-managed-keys` `(string: "")` - Managed key registry entry name - that the mount in question is allowed to access. Note that multiple keys may be - specified by providing this option multiple times, each time with 1 key. +- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount + in question is allowed to access. Note that multiple keys may be specified + either by providing the key names as a comma separated string or by providing + this option multiple times, each time with 1 key. diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index c8afd8d417d3..ef62765251b6 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -87,6 +87,7 @@ flags](/docs/commands) included on all commands. be sent to the secrets engine. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. -- `-allowed-managed-keys` `(string: "")` - Managed key registry entry name - that the mount in question is allowed to access. Note that multiple keys may be - specified by providing this option multiple times, each time with 1 key. +- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount + in question is allowed to access. Note that multiple keys may be specified + either by providing the key names as a comma separated string or by providing + this option multiple times, each time with 1 key.