%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python2.7/site-packages/salt/modules/
Upload File :
Create Path :
Current File : //lib/python2.7/site-packages/salt/modules/vault.pyo

�
���^c@@sqdZddlmZmZmZddlZeje�Zdd�Z
d�Zd�Zd�Z
d�ZdS(	u�
Functions to interact with Hashicorp Vault.

:maintainer:    SaltStack
:maturity:      new
:platform:      all


:note: If you see the following error, you'll need to upgrade ``requests`` to atleast 2.4.2

.. code-block:: text

    <timestamp> [salt.pillar][CRITICAL][14337] Pillar render error: Failed to load ext_pillar vault: {'error': "request() got an unexpected keyword argument 'json'"}


:configuration: The salt-master must be configured to allow peer-runner
    configuration, as well as configuration for the module.

    Add this segment to the master configuration file, or
    /etc/salt/master.d/vault.conf:

    .. code-block:: yaml

        vault:
            url: https://vault.service.domain:8200
            verify: /etc/ssl/certs/ca-certificates.crt
            role_name: minion_role
            auth:
                method: approle
                role_id: 11111111-2222-3333-4444-1111111111111
                secret_id: 11111111-1111-1111-1111-1111111111111
            policies:
                - saltstack/minions
                - saltstack/minion/{minion}
                .. more policies
            keys:
                - n63/TbrQuL3xaIW7ZZpuXj/tIfnK1/MbVxO4vT3wYD2A
                - S9OwCvMRhErEA4NVVELYBs6w/Me6+urgUr24xGK44Uy3
                - F1j4b7JKq850NS6Kboiy5laJ0xY8dWJvB3fcwA+SraYl
                - 1cYtvjKJNDVam9c7HNqJUfINk4PYyAXIpjkpN/sIuzPv
                - 3pPK5X6vGtwLhNOFv1U2elahECz3HpRUfNXJFYLw6lid

    url
        Url to your Vault installation. Required.

    verify
        For details please see
        http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification

        .. versionadded:: 2018.3.0

    role_name
        Role name for minion tokens created. If omitted, minion tokens will be
        created without any role, thus being able to inherit any master token
        policy (including token creation capabilities). Optional.

        For details please see:
        https://www.vaultproject.io/api/auth/token/index.html#create-token
        Example configuration:
        https://www.nomadproject.io/docs/vault-integration/index.html#vault-token-role-configuration

    auth
        Currently only token and approle auth types are supported. Required.

        Approle is the preferred way to authenticate with Vault as it provide
        some advanced options to control authentication process.
        Please visit Vault documentation for more info:
        https://www.vaultproject.io/docs/auth/approle.html

        The token must be able to create tokens with the policies that should be
        assigned to minions.

        You can still use the token auth via a OS environment variable via this
        config example:

        .. code-block: yaml

           vault:
             url: https://vault.service.domain:8200
             auth:
               method: token
               token: sdb://osenv/VAULT_TOKEN
           osenv:
             driver: env

        And then export the VAULT_TOKEN variable in your OS:

        .. code-block: bash
           export VAULT_TOKEN=11111111-1111-1111-1111-1111111111111

    policies
        Policies that are assigned to minions when requesting a token. These can
        either be static, eg saltstack/minions, or templated, eg
        ``saltstack/minion/{minion}``. ``{minion}`` is shorthand for grains[id].
        Grains are also available, for example like this:
        ``my-policies/{grains[os]}``

        If a template contains a grain which evaluates to a list, it will be
        expanded into multiple policies. For example, given the template
        ``saltstack/by-role/{grains[roles]}``, and a minion having these grains:

        .. code-block: yaml

            grains:
                roles:
                    - web
                    - database

        The minion will have the policies ``saltstack/by-role/web`` and
        ``saltstack/by-role/database``. Note however that list members which do
        not have simple string representations, such as dictionaries or objects,
        do not work and will throw an exception. Strings and numbers are
        examples of types which work well.

        Optional. If policies is not configured, ``saltstack/minions`` and
        ``saltstack/{minion}`` are used as defaults.

    keys
        List of keys to use to unseal vault server with the vault.unseal runner.


    Add this segment to the master configuration file, or
    /etc/salt/master.d/peer_run.conf:

    .. code-block:: yaml

        peer_run:
            .*:
                - vault.generate_token

.. _vault-setup:
i(tabsolute_importtprint_functiontunicode_literalsNcC@s�tjdtd|�yjdj|�}tdd|�}|jdkrX|j�n|j�d}|d	k	r|||S|SWn0t	k
r�}tj
dt|�j|�d	SXd	S(
u�
    Return the value of key at path in vault, or entire secret

    Jinja Example:

    .. code-block:: jinja

        my-secret: {{ salt['vault'].read_secret('secret/my/secret', 'some-key') }}

    .. code-block:: jinja

        {% set supersecret = salt['vault'].read_secret('secret/my/secret') %}
        secrets:
            first: {{ supersecret.first }}
            second: {{ supersecret.second }}
    u!Reading Vault secret for %s at %suiduv1/{0}uvault.make_requestuGETi�udatauFailed to read secret! %s: %sN(
tlogtdebugt
__grains__tformatt	__utils__tstatus_codetraise_for_statustjsontNonet	Exceptionterrorttypet__name__(tpathtkeyturltresponsetdataterr((s6/usr/lib/python2.7/site-packages/salt/modules/vault.pytread_secret�s
cK@s�tjdtd|�tg|j�D]'\}}|jd�s'||f^q'�}yidj|�}tdd|d|�}|jdkr�|j	�d	S|jd
kr�|j
�ntSWn0tk
r�}tj
dt|�j|�tSXdS(
u�
    Set secret at the path in vault. The vault policy used must allow this.

    CLI Example:

    .. code-block:: bash

            salt '*' vault.write_secret "secret/my/secret" user="foo" password="bar"
    u"Writing vault secrets for %s at %suidu__uv1/{0}uvault.make_requestuPOSTR
i�udatai�uFailed to write secret! %s: %sN(RRRtdicttitemst
startswithRRRR
R	tTrueRR
RRtFalse(RtkwargstxtyRRRR((s6/usr/lib/python2.7/site-packages/salt/modules/vault.pytwrite_secret�s
@
cC@s�tjdtd|�yidj|�}tdd|d|�}|jdkr_|j�dS|jd	kr{|j�ntSWn0t	k
r�}tj
d
t|�j|�t
SXdS(u�
    Set raw data at the path in vault. The vault policy used must allow this.

    CLI Example:

    .. code-block:: bash

            salt '*' vault.write_raw "secret/my/secret" '{"user":"foo","password": "bar"}'
    u"Writing vault secrets for %s at %suiduv1/{0}uvault.make_requestuPOSTR
i�udatai�uFailed to write secret! %s: %sN(RRRRRRR
R	RRR
RRR(RtrawRRR((s6/usr/lib/python2.7/site-packages/salt/modules/vault.pyt	write_raw�s

cC@s�tjdtd|�yFdj|�}tdd|�}|jdkrX|j�ntSWn0tk
r�}tj	dt
|�j|�tSXdS(	u�
    Delete secret at the path in vault. The vault policy used must allow this.

    CLI Example:

    .. code-block:: bash

        salt '*' vault.delete_secret "secret/my/secret"
    u#Deleting vault secrets for %s in %suiduv1/{0}uvault.make_requestuDELETEi�uFailed to delete secret! %s: %sN(
RRRRRRR	RRR
RRR(RRRR((s6/usr/lib/python2.7/site-packages/salt/modules/vault.pyt
delete_secret�s

cC@s�tjdtd|�yPdj|�}tdd|�}|jdkrX|j�n|j�dSWn0tk
r�}tj	dt
|�j|�d	SXd	S(
u�
    List secret keys at the path in vault. The vault policy used must allow this.
    The path should end with a trailing slash.

    CLI Example:

    .. code-block:: bash

            salt '*' vault.list_secrets "secret/my/"
    u&Listing vault secret keys for %s in %suiduv1/{0}uvault.make_requestuLISTi�udatauFailed to list secrets! %s: %sN(
RRRRRRR	R
RR
RRR(RRRR((s6/usr/lib/python2.7/site-packages/salt/modules/vault.pytlist_secrets�s
(t__doc__t
__future__RRRtloggingt	getLoggerRRRRRR!R"R#(((s6/usr/lib/python2.7/site-packages/salt/modules/vault.pyt<module>�s!			

Zerion Mini Shell 1.0