Type Members

1.  case class CreateOptions(displayName: String = "token", policies: List[String] = List.empty, noDefaultPolicy: Boolean = false, noParent: Boolean = false, numUses: Int = 0, renewable: Boolean = true, ttl: Duration = Duration.Undefined, explicitMaxTtl: Duration = Duration.Undefined, period: Duration = Duration.Undefined, id: Option[String] = None, meta: Map[String, String] = Map.empty) extends Product with Serializable
   displayName

   The display name of the token.

   policies

   A list of policies for the token. This must be a subset of the policies belonging to the token making the request, unless root. If not specified, defaults to all the policies of the calling token.

   noDefaultPolicy

   If true the default policy will not be contained in this token's policy set.

   noParent

   If true and set by a root caller, the token will not have the parent token of the caller. This creates a token with no parent.

   numUses

   The maximum uses for the given token. This can be used to create a one-time-token or limited use token. The value of 0 has no limit to the number of uses.

   renewable

   Set to false to disable the ability of the token to be renewed past its initial TTL. Setting the value to true will allow the token to be renewable up to the system/mount maximum TTL.

   ttl

   The TTL period of the token, provided as "1h", where hour is the largest suffix. If not provided, the token is valid for the default lease TTL, or indefinitely if the root policy is used.

   explicitMaxTtl

   If set, the token will have an explicit max TTL set upon it. This maximum token TTL cannot be changed later, and unlike with normal tokens, updates to the system/mount max TTL value will have no effect at renewal time -- the token will never be able to be renewed or used past the value set at issue time.

   period

   If specified, the token will be periodic; it will have no maximum TTL (unless an "explicit-max-ttl" is also set) but every renewal will use the given period. Requires a root/sudo token to use.

   id

   The ID of the client token. Can only be specified by a root token. Otherwise, the token ID is a randomly generated value.

   meta

   A map of string to string valued metadata. This is passed through to the audit devices.

2.  case class Role(allowedPolicies: List[String] = List.empty, disallowedPolicies: List[String] = List.empty, orphan: Boolean = false, renewable: Boolean = true, pathSuffix: String = "", allowedEntityAliases: List[String] = List.empty, tokenBoundCidrs: List[String] = List.empty, tokenExplicitMaxTtl: Duration = Duration.Undefined, tokenNoDefaultPolicy: Boolean = false, tokenNumUses: Int = 0, tokenPeriod: Duration = Duration.Undefined, tokenType: TokenType = TokenType.DefaultService) extends Product with Serializable
   allowedPolicies

   If set, tokens can be created with any subset of the policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy names. If at creation time no_default_policy is not set and "default" is not contained in disallowed_policies, the "default" policy will be added to the created token automatically.

   disallowedPolicies

   If set, successful token creation via this role will require that no policies in the given list are requested. The parameter is a comma-delimited string of policy names. Adding "default" to this list will prevent "default" from being added automatically to created tokens.

   orphan

   If true, tokens created against this policy will be orphan tokens (they will have no parent). As such, they will not be automatically revoked by the revocation of any other token.

   renewable

   Set to false to disable the ability of the token to be renewed past its initial TTL. Setting the value to true will allow the token to be renewable up to the system/mount maximum TTL.

   pathSuffix

   If set, tokens created against this role will have the given suffix as part of their path in addition to the role name. This can be useful in certain scenarios, such as keeping the same role name in the future but revoking all tokens created against it before some point in time. The suffix can be changed, allowing new callers to have the new suffix as part of their path, and then tokens with the old suffix can be revoked via /sys/leases/revoke-prefix.

   allowedEntityAliases

   specifies the entity aliases which are allowed to be used during token generation. This field supports globbing.

   tokenBoundCidrs

   specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

   tokenExplicitMaxTtl

   Provides a maximum lifetime for any tokens issued against this role, including periodic tokens. Unlike direct token creation, where the value for an explicit max TTL is stored in the token, for roles this check will always use the current value set in the role. The main use of this is to provide a hard upper bound on periodic tokens, which otherwise can live forever as long as they are renewed. This is an integer number of seconds.

   tokenNoDefaultPolicy

   If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in allowed_policies.

   tokenNumUses

   The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

   tokenPeriod

   The period, if any, to set on the token.

   tokenType

   Specifies the type of tokens that should be returned by the role. If either service or batch is specified, that kind of token will always be returned. If default-service, service tokens will be returned unless the client requests a batch type token at token creation time. If default-batch, batch tokens will be returned unless the client requests a service type token at token creation time.

3.  case class Token(id: String, path: String, accessor: String, creationTime: Long, creationTtl: Duration, displayName: String, entityId: String, expireTime: Option[OffsetDateTime], explicitMaxTtl: Duration, ttl: Duration, numUses: Int, orphan: Boolean, meta: Option[Map[String, String]], policies: List[String], type: TokenType) extends Product with Serializable