upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-09 08:55:13 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Update usage of the deprecated generated-root command in the documentation (#4232)

Browse source
This commit is contained in:
LeSuisse 2018-03-31 17:17:08 +02:00 committed by Jeff Mitchell
parent 894f06c2dd
commit 885a6e754d
2 changed files with 6 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
website/source/docs/concepts/tokens.html.md
View file

@ -54,7 +54,7 @@ of version 0.6.1, there are only three ways to create root tokens:
expiration
2. By using another root token; a root token with an expiration cannot create a
root token that never expires
3. By using `vault generate-root` ([example](/guides/operations/generate-root.html))
3. By using `vault operator generate-root` ([example](/guides/operations/generate-root.html))
with the permission of a quorum of unseal key holders
Root tokens are useful in development but should be extremely carefully guarded
@ -62,9 +62,8 @@ in production. In fact, the Vault team recommends that root tokens are only
used for just enough initial setup (usually, setting up auth methods
and policies necessary to allow administrators to acquire more limited tokens)
or in emergencies, and are revoked immediately after they are no longer needed.
If a new root token is needed, the `generate-root` command and associated [API
endpoint](/api/system/generate-root.html) can be
used to generate one on-the-fly.
If a new root token is needed, the `operator generate-root` command and associated
[API endpoint](/api/system/generate-root.html) can be used to generate one on-the-fly.
It is also good security practice for there to be multiple eyes on a terminal
whenever a root token is live. This way multiple people can verify as to the

6
website/source/guides/operations/generate-root.html.md
View file

@ -10,8 +10,8 @@ description: |-
It is generally considered a best practice to not persist
[root tokens][root-tokens]. Instead a root token should be generated using
Vault's `generate-root` command only when absolutely necessary. This guide
demonstrates regenerating a root token.
Vault's `operator generate-root` command only when absolutely necessary. This
guide demonstrates regenerating a root token.
1. Unseal the vault using the existing quorum of unseal keys. You do not need to
be authenticated to generate a new root token, but the Vault must be unsealed
@ -120,7 +120,7 @@ In this method, an OTP is XORed with the generated token on final output.
operation.
```text
$ echo $UNSEAL_KEY | vault generate-root -nonce=f67f4da3... -
$ echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -
```
1. When the quorum of unseal keys are supplied, the final user will also get