🚀 Features
- Add a correct endpoint for CRL retrieving . GH-547
📚 Documentation
- Fixes close quotes in example usage of read_secret_version. GH-557
- Fixes typo in docs: much -> must. GH-555
🧰 Miscellaneous
- Don’t send optional parameters unless explicitly specified. GH-533
Note: GH-533 includes fundamental behavior involving sending parameters
to API requests to Vault. Many hvac method parameters that would have been sent with default arguments no
longer are included in requests to Vault. Notably, the following behavioral changes should be expected (copied from the
related PR comments):
Azure:
- CHANGED:
create_role
parameterpolicies
now accepts CSV string or list of strings
Database:
- CHANGED:
create_role
documentation updated to something meaningful🙃
GCP:
configure
parametergoogle_certs_endpoint
is deprecatedcreate_role
parameterproject_id
is deprecated bybound_projects
(list)
GitHub:
configure
is missing a lot of parameters
LDAP:
- CHANGED:
configure
parametersuser_dn
andgroup_dn
made optional- Retained argument position to prevent being a breaking change
- CHANGED:
hvac/constants/ldap.py
file removed as it is no longer used
MFA:
- This entire endpoint is deprecated so I didn’t bother updating it
Okta:
- CHANGED:
configure
parameterbase_url
default value now differs from API documentation- This is likely just a documentation issue
register_user
,read_user
, anddelete_user
duplicate URL parameterusername
in JSON payload- I left this one as-is as it doesn’t appear to hurt anything
- Ditto for
delete_group
, butregister_group
andlist_group
correctly omit it
PKI:
- CHANGED:
sign_data
andverify_signed_data
optional parametermarshaling_algorithm
added
RADIUS:
configure
is missing a lot of parameters- BUG:
register_user
attempted to convertusername
string into a CSV list (?!) for POST data- Didn’t hurt anything as
username
is extracted from URL path in Vault server
- Didn’t hurt anything as
- BUG:
register_user
parameterpolicies
never actually passed as parameter
System Backend:
- Auth
enable_auth_method
parameterplugin_name
is deprecated- CHANGED:
enable_audit_device
optional parameterlocal
was added
- Init
initialize
provides default for required API parameterssecret_shares
andsecret_threshold
- Key
start_root_token_generation
parameterotp
is deprecated
Misc:
- There seems to be some discrepancy on how “extra arguments” are accepted:
- Some methods use only
**kwargs
(e.g.hvac/api/system_backend/auth.py
) - Some use
*args
and**kwargs
(e.g.hvac/api/secrets_engines/active_directory.py
) hvac/api/secrets_engines/pki.py
usesextra_params={}
- Some methods use only
- Most argument names match API parameter names, but some don’t
- Example:
hvac/api/auth_methods/ldap.py
configure
usesuser_dn
instead ofuserdn
- Example:
hvac/api/system_backend/auth.py
configure
usesmethod_type
instead oftype
- Example:
- Many methods duplicate URL parameters into JSON payload as well
- This isn’t necessary and fortunately Vault ignores the extra parameters
ttl
,max_ttl
,policies
,period
,num_uses
and a few other fields are deprecated as of Vault version 1.2.0
Thanks to @findmyname666, @llamasoft, @moisesguimaraes, @philherbert and Adrian Eib for their lovely contributions.
Leave a Reply