Difference between setting a mount's TTL and writing to mount/config/lease
397 views
Skip to first unread message
Francis Chuang
Jun 19, 2016, 8:31:24 PM6/19/16
to Vault
What is the difference between setting the TTLs using the following methods?
$ vault mount -path=mysql -default-lease-ttl=1h -max-lease-ttl=3h mysql
$ vault mount -path=mysql2 mysql
$ vault write mysq2/config/lease lease=1h lease_max=3h
Cheers,
Francis
Jeff Mitchell
Jun 20, 2016, 9:51:47 AM6/20/16
to vault...@googlegroups.com
Hi Francis,
The first is a quick alias for mount-tune (rather than requiring
mounting and *then* tuning). This sets options on the mount itself,
rather than within the mount's configuration.
Generally speaking, for the default TTLs, values set within mount
configuration have precedence over values set on the mount itself
which has precedence over global defaults set within Vault's
configuration.
Max TTLs work a little differently. The highest precedence in terms of
the actual maximum value is the tuned value set on the mount itself if
set; if not, it defaults to the global max. The mount-tuned max can be
longer than the global default max, but a given mount's configuration
can only lessen this value, not expand it further.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/9b180536-cd09-4491-b8ff-56be13f4d7d6%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
The first is a quick alias for mount-tune (rather than requiring
mounting and *then* tuning). This sets options on the mount itself,
rather than within the mount's configuration.
Generally speaking, for the default TTLs, values set within mount
configuration have precedence over values set on the mount itself
which has precedence over global defaults set within Vault's
configuration.
Max TTLs work a little differently. The highest precedence in terms of
the actual maximum value is the tuned value set on the mount itself if
set; if not, it defaults to the global max. The mount-tuned max can be
longer than the global default max, but a given mount's configuration
can only lessen this value, not expand it further.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/9b180536-cd09-4491-b8ff-56be13f4d7d6%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Francis Chuang
Jun 20, 2016, 6:59:00 PM6/20/16
to Vault
Hey Jeff,
Thanks for answering my question.
By "within the mount", do you mean the tuned value set using `vault tune` and `vault mount -default-lease-ttl=1h -max-lease-ttl=3h`
By "on the mount" do you mean the config written to `mysql/config/lease`?
Is there any particular reason why there are 2 ways of setting the TTLs, rather than standardizing on the tuned values (-default-lease-ttl and -max-lease-ttl)?
Jeff Mitchell
Jun 20, 2016, 8:00:48 PM6/20/16
to vault...@googlegroups.com
On Mon, Jun 20, 2016 at 6:59 PM, Francis Chuang <f21.g...@gmail.com> wrote:
> Hey Jeff,
>
> Thanks for answering my question.
>
> By "within the mount", do you mean the tuned value set using `vault tune`
> and `vault mount -default-lease-ttl=1h -max-lease-ttl=3h`
>
> By "on the mount" do you mean the config written to `mysql/config/lease`?
Nope -- the opposite! By "within" I meant "contained within", as in,
> Hey Jeff,
>
> Thanks for answering my question.
>
> By "within the mount", do you mean the tuned value set using `vault tune`
> and `vault mount -default-lease-ttl=1h -max-lease-ttl=3h`
>
> By "on the mount" do you mean the config written to `mysql/config/lease`?
if you think about the tuned values being part of the mount
configuration wrapping the actual mount itself, the values contained
within are part of that specific instance's configuration.
> Is there any particular reason why there are 2 ways of setting the TTLs,
> rather than standardizing on the tuned values (-default-lease-ttl and
> -max-lease-ttl)?
backends let you specify the TTLs as part of a role definition, so
that you can have many roles within the single mount but at
issue/renewal time look up the correct values to use for the
associated role. Otherwise you'd have to have multiple mounts just to
do this. The tuned values provide both defaults and, in the case of
the max, a hard limit past which the role values cannot go. So an
administrator can say "you can do whatever you like in terms of who
you give access to, when, for how long -- but you cannot go past 24
days no matter what".
Best,
Jeff
Francis Chuang
Jun 20, 2016, 8:26:22 PM6/20/16
to Vault
That makes a lot of sense!
Thanks again!
Francis
Reply all
Reply to author
Forward
0 new messages