Vault writes to secondary cluster

[PJ]

In case of performance replication, as far as I understand from the docs, the replication between two clusters is managed by Vault not by underlying storage backend. So if that's true, is secondary configured in such a way that it accepts writes from Primary Vault only, since by default it is a read-only cluster? If yes how is this configured- based on the JWT or IP address mapping?

[Jeff Mitchell]

Hi PJ,

The JWT used to activate secondaries for replication is a specialized wrapping token that contains, among other things, a private key that is used for mutual TLS with the primary. The key is covered during transport due to being behind a wrapping token, and once installed in the secondary it is stored encrypted behind its barrier. As such it is not reliant on either the JWT value (after the unwrap, which then revokes the token) or the IP address of the primary/secondary.

Best,

Jeff

On Wed, Jan 3, 2018 at 8:03 PM, PJ <pushkar.jo...@gmail.com> wrote:

In case of performance replication, as far as I understand from the docs, the replication between two clusters is managed by Vault not by underlying storage backend. So if that's true, is secondary configured in such a way that it accepts writes from Primary Vault only, since by default it is a read-only cluster? If yes how is this configured- based on the JWT or IP address mapping?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/af7598ff-657c-4fec-9c13-46c852737194%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Pushkar Joglekar]

That helps Jeff. However, I still don’t understand, how does a secondary cluster know that a write request is actually indeed coming from the primary server not any random server ? Seems like it would need to differentiate the source of the write request  some way or the other. 

On Wed, Jan 3, 2018 at 6:01 PM Jeff Mitchell <je...@hashicorp.com> wrote:

Hi PJ,

The JWT used to activate secondaries for replication is a specialized wrapping token that contains, among other things, a private key that is used for mutual TLS with the primary. The key is covered during transport due to being behind a wrapping token, and once installed in the secondary it is stored encrypted behind its barrier. As such it is not reliant on either the JWT value (after the unwrap, which then revokes the token) or the IP address of the primary/secondary.

Best,

Jeff

On Wed, Jan 3, 2018 at 8:03 PM, PJ <pushkar.jo...@gmail.com> wrote:

In case of performance replication, as far as I understand from the docs, the replication between two clusters is managed by Vault not by underlying storage backend. So if that's true, is secondary configured in such a way that it accepts writes from Primary Vault only, since by default it is a read-only cluster? If yes how is this configured- based on the JWT or IP address mapping?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---

You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/af7598ff-657c-4fec-9c13-46c852737194%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---

You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/jLiT27Mq3pg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHaBKf%3DS10ruB1-a5Y%2B3aciRrKcGPmf-_N9P%2BK-tJXoUw%40mail.gmail.com.

[Jeff Mitchell]

Hi Pushkar,

The primary and secondary do not communicate through Vault's public API. They communicate via a totally separate connection that uses an RPC system and operates more or less on a state machine. The connection for this connection is protected by the mutual TLS setup I mentioned earlier. The secondary can therefore be given commands to process writes via a totally different control path than the API.

Best,

Jeff

On Wed, Jan 3, 2018 at 9:10 PM, Pushkar Joglekar <pushkar.jo...@gmail.com> wrote:

That helps Jeff. However, I still don’t understand, how does a secondary cluster know that a write request is actually indeed coming from the primary server not any random server ? Seems like it would need to differentiate the source of the write request  some way or the other. 

On Wed, Jan 3, 2018 at 6:01 PM Jeff Mitchell <je...@hashicorp.com> wrote:

Hi PJ,

The JWT used to activate secondaries for replication is a specialized wrapping token that contains, among other things, a private key that is used for mutual TLS with the primary. The key is covered during transport due to being behind a wrapping token, and once installed in the secondary it is stored encrypted behind its barrier. As such it is not reliant on either the JWT value (after the unwrap, which then revokes the token) or the IP address of the primary/secondary.

Best,

Jeff

On Wed, Jan 3, 2018 at 8:03 PM, PJ <pushkar.joglekar1789@gmail.com> wrote:

In case of performance replication, as far as I understand from the docs, the replication between two clusters is managed by Vault not by underlying storage backend. So if that's true, is secondary configured in such a way that it accepts writes from Primary Vault only, since by default it is a read-only cluster? If yes how is this configured- based on the JWT or IP address mapping?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---

You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/af7598ff-657c-4fec-9c13-46c852737194%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---

You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/jLiT27Mq3pg/unsubscribe.

To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHaBKf%3DS10ruB1-a5Y%2B3aciRrKcGPmf-_N9P%2BK-tJXoUw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CADo%3D1OkuYHUH0953z4Z3y70U5AQX%2B%2B8ar1pWoYi-jVpcsHnYxQ%40mail.gmail.com.