public class SecretLeaseContainer extends SecretLeaseEventPublisher implements org.springframework.beans.factory.InitializingBean, org.springframework.beans.factory.DisposableBean
Lease
. Secrets can be rotated, depending on the requested
RequestedSecret.Mode
.
Usage example:
SecretLeaseContainer container = new SecretLeaseContainer(vaultOperations,
taskScheduler);
final RequestedSecret requestedSecret = container
.requestRotatingSecret("mysql/creds/my-role");
container.addLeaseListener(new LeaseListenerAdapter() {
@Override
public void onLeaseEvent(LeaseEvent leaseEvent) {
if (requestedSecret == leaseEvent.getSource()) {
if (leaseEvent instanceof LeaseCreatedEvent) {
}
if (leaseEvent instanceof LeaseExpiredEvent) {
}
}
}
});
container.afterPropertiesSet();
container.start(); // events are triggered after starting the container
This container keeps track over RequestedSecret
s and requests secrets upon
start()
. Leases qualified for renewal
are renewed
by this container applying minRenewalSeconds
/expiryThresholdSeconds
on
a background thread
.
Requests for secrets can define either renewal or rotation. The container renews leases until expiry. Rotating secrets renew their associated lease until expiry and request new secrets after expiry. Vault requires active interaction from a caller side to determine a secret is expired. Vault does not send any events. Expired secrets events can dispatch later than the actual expiry.
The container dispatches lease events to LeaseListener
and
LeaseErrorListener
. Event notifications are dispatched either on the
starting
Thread
or worker threads used for background renewal.
Instances are thread-safe once initialized
.
RequestedSecret
,
SecretLeaseEventPublisher
,
Lease
SecretLeaseEventPublisher.LoggingErrorListener
Constructor and Description |
---|
SecretLeaseContainer(VaultOperations operations)
Create a new
SecretLeaseContainer given VaultOperations . |
SecretLeaseContainer(VaultOperations operations,
org.springframework.scheduling.TaskScheduler taskScheduler)
|
Modifier and Type | Method and Description |
---|---|
RequestedSecret |
addRequestedSecret(RequestedSecret requestedSecret)
Add a
RequestedSecret . |
void |
afterPropertiesSet() |
void |
destroy()
Shutdown this
SecretLeaseContainer , disable lease renewal and revoke
leases. |
protected VaultResponseSupport<Map<String,Object>> |
doGetSecrets(RequestedSecret requestedSecret)
Retrieve secrets from
VaultOperations . |
protected Lease |
doRenewLease(RequestedSecret requestedSecret,
Lease lease)
Renew a
Lease for a RequestedSecret . |
protected void |
doRevokeLease(RequestedSecret requestedSecret,
Lease lease)
Revoke the
Lease . |
int |
getExpiryThresholdSeconds() |
int |
getMinRenewalSeconds() |
protected void |
onLeaseExpired(RequestedSecret requestedSecret,
Lease lease)
Hook method called when a
Lease expires. |
RequestedSecret |
requestRenewableSecret(String path)
Request a renewable secret at
path . |
RequestedSecret |
requestRotatingSecret(String path)
Request a rotating secret at
path . |
void |
setExpiryThresholdSeconds(int expiryThresholdSeconds)
Set the expiry threshold.
|
void |
setMinRenewalSeconds(int minRenewalSeconds)
Sets the amount of seconds that is at least required before renewing a lease.
|
void |
setTaskScheduler(org.springframework.scheduling.TaskScheduler taskScheduler)
Sets the
TaskScheduler to use for scheduling and execution of lease
renewals. |
void |
start()
Start the
SecretLeaseContainer . |
void |
stop()
Stop the
SecretLeaseContainer . |
addErrorListener, addLeaseListener, onAfterLeaseRenewed, onAfterLeaseRevocation, onBeforeLeaseRevocation, onError, onSecretsObtained, removeLeaseErrorListener, removeLeaseListener
public SecretLeaseContainer(VaultOperations operations)
SecretLeaseContainer
given VaultOperations
.operations
- must not be null.public SecretLeaseContainer(VaultOperations operations, org.springframework.scheduling.TaskScheduler taskScheduler)
operations
- must not be null.taskScheduler
- must not be null.public void setExpiryThresholdSeconds(int expiryThresholdSeconds)
Lease
is renewed the given seconds before it
expires.expiryThresholdSeconds
- number of seconds before Lease
expiry.public void setMinRenewalSeconds(int minRenewalSeconds)
minRenewalSeconds
prevents renewals to happen too often.minRenewalSeconds
- number of seconds that is at least required before
renewing a Lease
.public int getMinRenewalSeconds()
public int getExpiryThresholdSeconds()
public void setTaskScheduler(org.springframework.scheduling.TaskScheduler taskScheduler)
TaskScheduler
to use for scheduling and execution of lease
renewals.taskScheduler
- must not be null.public RequestedSecret requestRenewableSecret(String path)
path
.path
- must not be null or empty.RequestedSecret
.public RequestedSecret requestRotatingSecret(String path)
path
.path
- must not be null or empty.RequestedSecret
.public RequestedSecret addRequestedSecret(RequestedSecret requestedSecret)
RequestedSecret
.requestedSecret
- must not be null.public void start()
SecretLeaseContainer
. Starting the container will initially
obtain secrets and leases for the requested secrets. A started container publishes
events through LeaseListener
. Additional secrets can be requested at any
time.
Multiple calls are synchronized to start the container only once. Container start
requires initialization
and cannot be started once
the container was destroyed
.
afterPropertiesSet()
,
stop()
public void stop()
SecretLeaseContainer
. Stopping the container will stop lease
renewal, secrets rotation and event publishing. Active leases are not expired.
Multiple calls are synchronized to stop the container only once.
start()
public void afterPropertiesSet() throws Exception
afterPropertiesSet
in interface org.springframework.beans.factory.InitializingBean
afterPropertiesSet
in class SecretLeaseEventPublisher
Exception
public void destroy() throws Exception
SecretLeaseContainer
, disable lease renewal and revoke
leases.destroy
in interface org.springframework.beans.factory.DisposableBean
Exception
afterPropertiesSet()
,
start()
,
stop()
protected VaultResponseSupport<Map<String,Object>> doGetSecrets(RequestedSecret requestedSecret)
VaultOperations
.requestedSecret
- the RequestedSecret
providing the secret
path
.protected Lease doRenewLease(RequestedSecret requestedSecret, Lease lease)
Lease
for a RequestedSecret
.requestedSecret
- the requested secret.lease
- the lease.protected void onLeaseExpired(RequestedSecret requestedSecret, Lease lease)
Lease
expires. The default implementation is to
notify LeaseListener
. Implementations can override this method in
subclasses.onLeaseExpired
in class SecretLeaseEventPublisher
requestedSecret
- must not be null.lease
- must not be null.protected void doRevokeLease(RequestedSecret requestedSecret, Lease lease)
Lease
.requestedSecret
- must not be null.lease
- must not be null.Copyright © 2016–2017 Pivotal Software, Inc.. All rights reserved.