Tags: openbao/openbao
Tags
Namespace aware policy store #1069 (#1106) * Create required mounts when setting up namespace When setting up namespaces, we're required to create additional mounts for sys/, identity/, cubbyhole/, and token/ within the namespace. Of these, cubbyhole is never persisted but is instead a dynamic mount, whereas the remainder exist in the underlying storage. We don't yet handle the separation of these mounts' data by namespace; this will be handled in later updates to this branch. Many singleton stores like TokenStore and PolicyStore will need broader updates to align with the RFC's data storage model. This was created during live-coding with @satoqz. Signed-off-by: Alexander Scheel <ascheel@gitlab.com> * policy_store_util.go moved to policy_store.go. Added tests covering loading and properly setting acl in namespaces Signed-off-by: driif <andrii.fedorchuk@secretz.io> * - Add automatic creation of 'default' and 'response-wrapping' policies when creating new namespaces - Fix ListPolicies to only return policies from the current namespace rather than collecting policies from all namespaces Signed-off-by: driif <andrii.fedorchuk@secretz.io> * added tests for list namespace policies Signed-off-by: driif <andrii.fedorchuk@secretz.io> * Revert changes to ListPoliciesWithPrefix function - Reverted previous modifications that risked breaking the LIST endpoint - Problem should be solved through namespace isolation instead - Proper fix will be implemented elsewhere without modifying list function Signed-off-by: driif <andrii.fedorchuk@secretz.io> * Fix namespace policy isolation - Rename createDefaultPolicies to loadDefaultPolicies - Add control-group policy (immutable, non-assignable) - Load control-group policy to root namespace - Update namespace path from namespace/ to namespaces/ - Extend tests to verify control-group policy Signed-off-by: driif <andrii.fedorchuk@secretz.io> * Add method to load default policies in policy store. Enable reuse across the code base Signed-off-by: driif <andrii.fedorchuk@secretz.io> * - Remove unused aclView from PolicyStore - Use (*NamespaceEntry).View() as the sole source for ACL paths - Simplify view resolution logic in getACLView Signed-off-by: driif <andrii.fedorchuk@secretz.io> * - Assign namespace store after sealing/unsealing - Remove ns.ID check in getACLView since entry is fetched via accessor Signed-off-by: driif <andrii.fedorchuk@secretz.io> * improve namespace initialization structure and naming. Breaking down the initialization into separate concerns with dedicated functions: - initializeNamespacePolicies: handles loading default policies - createMounts: focuses specifically on mount creation - initializeNamespace - initializes Policies and Mounts Signed-off-by: driif <andrii.fedorchuk@secretz.io> * remove control group policies Signed-off-by: driif <andrii.fedorchuk@secretz.io> --------- Signed-off-by: Alexander Scheel <ascheel@gitlab.com> Signed-off-by: driif <andrii.fedorchuk@secretz.io> Signed-off-by: Andrii Fedorchuk <andrii.fedorchuk@secretz.io> Co-authored-by: Alexander Scheel <ascheel@gitlab.com>
Bump ember-cli-deprecation-workflow from 2.1.0 to 3.2.0 in /ui (#1104) Bumps [ember-cli-deprecation-workflow](https://github.com/ember-cli/ember-cli-deprecation-workflow) from 2.1.0 to 3.2.0. - [Release notes](https://github.com/ember-cli/ember-cli-deprecation-workflow/releases) - [Changelog](https://github.com/ember-cli/ember-cli-deprecation-workflow/blob/main/CHANGELOG.md) - [Commits](https://github.com/ember-cli/ember-cli-deprecation-workflow/commits) --- updated-dependencies: - dependency-name: ember-cli-deprecation-workflow dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Release 2.2.0 (#1082) * remove timings of old CI runs when generating matrix For some reason they can contain invalid JSON which causes gotestsum to fail Signed-off-by: Jan Martens <jan@martens.eu.org> * Release 2.2.0 Signed-off-by: Jan Martens <jan@martens.eu.org> --------- Signed-off-by: Jan Martens <jan@martens.eu.org>
Minor docs improvements and chore (#1005) * chore: remove unreferenced hcp-v badge Signed-off-by: Michael Hofer <michael.hofer@secretz.io> * chore: use correct spelling for github and gitlab Signed-off-by: Michael Hofer <michael.hofer@secretz.io> * docs(upgrading): remove reference to vault in ha-upgrade file name Signed-off-by: Michael Hofer <michael.hofer@secretz.io> --------- Signed-off-by: Michael Hofer <michael.hofer@secretz.io>
Release v2.2.0 beta20250213 (#1003) * Update SDK version in root go.mod Signed-off-by: Alexander Scheel <ascheel@gitlab.com> * Add v2.2.0-beta20250213 to release notes, changelog Signed-off-by: Alexander Scheel <ascheel@gitlab.com> --------- Signed-off-by: Alexander Scheel <ascheel@gitlab.com>
Update go-kms-wrapping dependencies for release (#1002) Signed-off-by: Alexander Scheel <ascheel@gitlab.com>
Add detailed metadata list to KV (#766) * Add detailed metadata list to KV Allow KV to list detailed information about metadata keys. With paginated listing and transactional storage, this allows a single, consistent view of metadata (including `current_version`, which in turn gives a consistent view over all data). This incurs additional work (reading each entry) and thus is done under a new path to allow separate ACLing. Signed-off-by: Alexander Scheel <ascheel@gitlab.com> * Add changelog entry Signed-off-by: Alexander Scheel <ascheel@gitlab.com> * Add documentation Signed-off-by: Alexander Scheel <ascheel@gitlab.com> --------- Signed-off-by: Alexander Scheel <ascheel@gitlab.com>
Add detailed metadata list to KV (#766) * Add detailed metadata list to KV Allow KV to list detailed information about metadata keys. With paginated listing and transactional storage, this allows a single, consistent view of metadata (including `current_version`, which in turn gives a consistent view over all data). This incurs additional work (reading each entry) and thus is done under a new path to allow separate ACLing. Signed-off-by: Alexander Scheel <ascheel@gitlab.com> * Add changelog entry Signed-off-by: Alexander Scheel <ascheel@gitlab.com> * Add documentation Signed-off-by: Alexander Scheel <ascheel@gitlab.com> --------- Signed-off-by: Alexander Scheel <ascheel@gitlab.com>
Add detailed metadata list to KV (#766) * Add detailed metadata list to KV Allow KV to list detailed information about metadata keys. With paginated listing and transactional storage, this allows a single, consistent view of metadata (including `current_version`, which in turn gives a consistent view over all data). This incurs additional work (reading each entry) and thus is done under a new path to allow separate ACLing. Signed-off-by: Alexander Scheel <ascheel@gitlab.com> * Add changelog entry Signed-off-by: Alexander Scheel <ascheel@gitlab.com> * Add documentation Signed-off-by: Alexander Scheel <ascheel@gitlab.com> --------- Signed-off-by: Alexander Scheel <ascheel@gitlab.com>
Add detailed metadata list to KV (#766) * Add detailed metadata list to KV Allow KV to list detailed information about metadata keys. With paginated listing and transactional storage, this allows a single, consistent view of metadata (including `current_version`, which in turn gives a consistent view over all data). This incurs additional work (reading each entry) and thus is done under a new path to allow separate ACLing. Signed-off-by: Alexander Scheel <ascheel@gitlab.com> * Add changelog entry Signed-off-by: Alexander Scheel <ascheel@gitlab.com> * Add documentation Signed-off-by: Alexander Scheel <ascheel@gitlab.com> --------- Signed-off-by: Alexander Scheel <ascheel@gitlab.com>