Files
spring-cloud-static/Finchley.M6/multi/multi_vault.config.backends.database-backends.html
2018-02-12 11:22:47 -05:00

99 lines
22 KiB
HTML

<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>98.&nbsp;Database backends</title><link rel="stylesheet" type="text/css" href="css/manual-multipage.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="multi_spring-cloud.html" title="Spring Cloud"><link rel="up" href="multi__spring_cloud_vault.html" title="Part&nbsp;XIII.&nbsp;Spring Cloud Vault"><link rel="prev" href="multi_vault.config.backends.html" title="97.&nbsp;Secret Backends"><link rel="next" href="multi_vault.config.backends.configurer.html" title="99.&nbsp;Configure PropertySourceLocator behavior"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">98.&nbsp;Database backends</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="multi_vault.config.backends.html">Prev</a>&nbsp;</td><th width="60%" align="center">Part&nbsp;XIII.&nbsp;Spring Cloud Vault</th><td width="20%" align="right">&nbsp;<a accesskey="n" href="multi_vault.config.backends.configurer.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h2 class="title"><a name="vault.config.backends.database-backends" href="#vault.config.backends.database-backends"></a>98.&nbsp;Database backends</h2></div></div></div><p>Vault supports several database secret backends to generate database
credentials dynamically based on configured roles. This means
services that need to access a database no longer need to configure
credentials: they can request them from Vault, and use Vault&#8217;s leasing
mechanism to more easily roll keys.</p><p>Spring Cloud Vault integrates with these backends:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><a class="xref" href="multi_vault.config.backends.database-backends.html#vault.config.backends.database" title="98.1&nbsp;Database">Section&nbsp;98.1, &#8220;Database&#8221;</a></li><li class="listitem"><a class="xref" href="multi_vault.config.backends.database-backends.html#vault.config.backends.cassandra" title="98.2&nbsp;Apache Cassandra">Section&nbsp;98.2, &#8220;Apache Cassandra&#8221;</a></li><li class="listitem"><a class="xref" href="multi_vault.config.backends.database-backends.html#vault.config.backends.mongodb" title="98.3&nbsp;MongoDB">Section&nbsp;98.3, &#8220;MongoDB&#8221;</a></li><li class="listitem"><a class="xref" href="multi_vault.config.backends.database-backends.html#vault.config.backends.mysql" title="98.4&nbsp;MySQL">Section&nbsp;98.4, &#8220;MySQL&#8221;</a></li><li class="listitem"><a class="xref" href="multi_vault.config.backends.database-backends.html#vault.config.backends.postgresql" title="98.5&nbsp;PostgreSQL">Section&nbsp;98.5, &#8220;PostgreSQL&#8221;</a></li></ul></div><p>Using a database secret backend requires to enable the
backend in the configuration and the <code class="literal">spring-cloud-vault-config-databases</code>
dependency.</p><p>Vault ships since 0.7.1 with a dedicated <code class="literal">database</code> secret backend that allows
database integration via plugins. You can use that specific backend by using the
generic database backend. Make sure to specify the appropriate
backend path, e.g. <code class="literal">spring.cloud.vault.mysql.role.backend=database</code>.</p><div class="example"><a name="d0e25033" href="#d0e25033"></a><p class="title"><b>Example&nbsp;98.1.&nbsp;pom.xml</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;dependencies&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;dependency&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;groupId&gt;</span>org.springframework.cloud<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/groupId&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;artifactId&gt;</span>spring-cloud-vault-config-databases<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/artifactId&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;version&gt;</span>Finchley.M6<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/version&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/dependency&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/dependencies&gt;</span></pre></div></div><br class="example-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>Enabling multiple JDBC-compliant databases will generate credentials
and store them by default in the same property keys hence property names for
JDBC secrets need to be configured separately.</p></td></tr></table></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.database" href="#vault.config.backends.database"></a>98.1&nbsp;Database</h2></div></div></div><p>Spring Cloud Vault can obtain credentials for any database listed at
<a class="link" href="https://www.vaultproject.io/api/secret/databases/index.html" target="_top">https://www.vaultproject.io/api/secret/databases/index.html</a>.
The integration can be enabled by setting
<code class="literal">spring.cloud.vault.database.enabled=true</code> (default <code class="literal">false</code>) and
providing the role name with <code class="literal">spring.cloud.vault.database.role=&#8230;</code>.</p><p>While the database backend is a generic one, <code class="literal">spring.cloud.vault.database</code>
specifically targets JDBC databases. Username and password are
stored in <code class="literal">spring.datasource.username</code> and <code class="literal">spring.datasource.password</code>
so using Spring Boot will pick up the generated credentials
for your <code class="literal">DataSource</code> without further configuration.
You can configure the property names by setting
<code class="literal">spring.cloud.vault.database.username-property</code> and
<code class="literal">spring.cloud.vault.database.password-property</code>.</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> database</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: readonly
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: database
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> username-property</span>: spring.datasource.username
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> password-property</span>: spring.datasource.username</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">true</code> enables the Database backend config usage</li><li class="listitem"><code class="literal">role</code> sets the role name of the Database role definition</li><li class="listitem"><code class="literal">backend</code> sets the path of the Database mount to use</li><li class="listitem"><code class="literal">username-property</code> sets the property name in which the Database username is stored</li><li class="listitem"><code class="literal">password-property</code> sets the property name in which the Database password is stored</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/databases/index.html" target="_top">Vault Documentation: Database Secrets backend</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.cassandra" href="#vault.config.backends.cassandra"></a>98.2&nbsp;Apache Cassandra</h2></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The <code class="literal">cassandra</code> backend has been deprecated in Vault 0.7.1 and
it is recommended to use the <code class="literal">database</code> backend and mount it as <code class="literal">cassandra</code>.</p></td></tr></table></div><p>Spring Cloud Vault can obtain credentials for Apache Cassandra.
The integration can be enabled by setting
<code class="literal">spring.cloud.vault.cassandra.enabled=true</code> (default <code class="literal">false</code>) and
providing the role name with <code class="literal">spring.cloud.vault.cassandra.role=&#8230;</code>.</p><p>Username and password are stored in <code class="literal">spring.data.cassandra.username</code>
and <code class="literal">spring.data.cassandra.password</code> so using Spring Boot will pick
up the generated credentials without further configuration.
You can configure the property names by setting
<code class="literal">spring.cloud.vault.cassandra.username-property</code> and
<code class="literal">spring.cloud.vault.cassandra.password-property</code>.</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> cassandra</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: readonly
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: cassandra
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> username-property</span>: spring.data.cassandra.username
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> password-property</span>: spring.data.cassandra.username</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">true</code> enables the Cassandra backend config usage</li><li class="listitem"><code class="literal">role</code> sets the role name of the Cassandra role definition</li><li class="listitem"><code class="literal">backend</code> sets the path of the Cassandra mount to use</li><li class="listitem"><code class="literal">username-property</code> sets the property name in which the Cassandra username is stored</li><li class="listitem"><code class="literal">password-property</code> sets the property name in which the Cassandra password is stored</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/cassandra/index.html" target="_top">Vault Documentation: Setting up Apache Cassandra with Vault</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.mongodb" href="#vault.config.backends.mongodb"></a>98.3&nbsp;MongoDB</h2></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The <code class="literal">mongodb</code> backend has been deprecated in Vault 0.7.1 and
it is recommended to use the <code class="literal">database</code> backend and mount it as <code class="literal">mongodb</code>.</p></td></tr></table></div><p>Spring Cloud Vault can obtain credentials for MongoDB.
The integration can be enabled by setting
<code class="literal">spring.cloud.vault.mongodb.enabled=true</code> (default <code class="literal">false</code>) and
providing the role name with <code class="literal">spring.cloud.vault.mongodb.role=&#8230;</code>.</p><p>Username and password are stored in <code class="literal">spring.data.mongodb.username</code>
and <code class="literal">spring.data.mongodb.password</code> so using Spring Boot will
pick up the generated credentials without further configuration.
You can configure the property names by setting
<code class="literal">spring.cloud.vault.mongodb.username-property</code> and
<code class="literal">spring.cloud.vault.mongodb.password-property</code>.</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> mongodb</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: readonly
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: mongodb
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> username-property</span>: spring.data.mongodb.username
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> password-property</span>: spring.data.mongodb.password</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">true</code> enables the MongodB backend config usage</li><li class="listitem"><code class="literal">role</code> sets the role name of the MongoDB role definition</li><li class="listitem"><code class="literal">backend</code> sets the path of the MongoDB mount to use</li><li class="listitem"><code class="literal">username-property</code> sets the property name in which the MongoDB username is stored</li><li class="listitem"><code class="literal">password-property</code> sets the property name in which the MongoDB password is stored</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/mongodb/index.html" target="_top">Vault Documentation: Setting up MongoDB with Vault</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.mysql" href="#vault.config.backends.mysql"></a>98.4&nbsp;MySQL</h2></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The <code class="literal">mysql</code> backend has been deprecated in Vault 0.7.1 and
it is recommended to use the <code class="literal">database</code> backend and mount it as <code class="literal">mysql</code>.
Configuration for <code class="literal">spring.cloud.vault.mysql</code> will be removed in a future version.</p></td></tr></table></div><p>Spring Cloud Vault can obtain credentials for MySQL.
The integration can be enabled by setting
<code class="literal">spring.cloud.vault.mysql.enabled=true</code> (default <code class="literal">false</code>) and
providing the role name with <code class="literal">spring.cloud.vault.mysql.role=&#8230;</code>.</p><p>Username and password are stored in <code class="literal">spring.datasource.username</code>
and <code class="literal">spring.datasource.password</code> so using Spring Boot will
pick up the generated credentials without further configuration.
You can configure the property names by setting
<code class="literal">spring.cloud.vault.mysql.username-property</code> and
<code class="literal">spring.cloud.vault.mysql.password-property</code>.</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> mysql</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: readonly
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: mysql
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> username-property</span>: spring.datasource.username
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> password-property</span>: spring.datasource.username</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">true</code> enables the MySQL backend config usage</li><li class="listitem"><code class="literal">role</code> sets the role name of the MySQL role definition</li><li class="listitem"><code class="literal">backend</code> sets the path of the MySQL mount to use</li><li class="listitem"><code class="literal">username-property</code> sets the property name in which the MySQL username is stored</li><li class="listitem"><code class="literal">password-property</code> sets the property name in which the MySQL password is stored</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/mysql/index.html" target="_top">Vault Documentation: Setting up MySQL with Vault</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.postgresql" href="#vault.config.backends.postgresql"></a>98.5&nbsp;PostgreSQL</h2></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The <code class="literal">postgresql</code> backend has been deprecated in Vault 0.7.1 and
it is recommended to use the <code class="literal">database</code> backend and mount it as <code class="literal">postgresql</code>.
Configuration for <code class="literal">spring.cloud.vault.postgresql</code> will be removed in a future version.</p></td></tr></table></div><p>Spring Cloud Vault can obtain credentials for PostgreSQL.
The integration can be enabled by setting
<code class="literal">spring.cloud.vault.postgresql.enabled=true</code> (default <code class="literal">false</code>) and
providing the role name with <code class="literal">spring.cloud.vault.postgresql.role=&#8230;</code>.</p><p>Username and password are stored in <code class="literal">spring.datasource.username</code>
and <code class="literal">spring.datasource.password</code> so using Spring Boot will
pick up the generated credentials without further configuration.
You can configure the property names by setting
<code class="literal">spring.cloud.vault.postgresql.username-property</code> and
<code class="literal">spring.cloud.vault.postgresql.password-property</code>.</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> postgresql</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: readonly
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: postgresql
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> username-property</span>: spring.datasource.username
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> password-property</span>: spring.datasource.username</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">true</code> enables the PostgreSQL backend config usage</li><li class="listitem"><code class="literal">role</code> sets the role name of the PostgreSQL role definition</li><li class="listitem"><code class="literal">backend</code> sets the path of the PostgreSQL mount to use</li><li class="listitem"><code class="literal">username-property</code> sets the property name in which the PostgreSQL username is stored</li><li class="listitem"><code class="literal">password-property</code> sets the property name in which the PostgreSQL password is stored</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/postgresql/index.html" target="_top">Vault Documentation: Setting up PostgreSQL with Vault</a></p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="multi_vault.config.backends.html">Prev</a>&nbsp;</td><td width="20%" align="center"><a accesskey="u" href="multi__spring_cloud_vault.html">Up</a></td><td width="40%" align="right">&nbsp;<a accesskey="n" href="multi_vault.config.backends.configurer.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">97.&nbsp;Secret Backends&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="multi_spring-cloud.html">Home</a></td><td width="40%" align="right" valign="top">&nbsp;99.&nbsp;Configure <code class="literal">PropertySourceLocator</code> behavior</td></tr></table></div></body></html>