fermitools / htvault-config Goto Github PK

Trying to initialize a fresh installation caused a lot of problems for me on fermicloud346. Each time I would stop and start it got lots of errors about bad checksums and other errors that may have been dependent on that. Only doing a systemctl restart htvault-config after a start cleaned it up. Try to reproduce.

Hi Dave,

This was discussed in #ligo-scitokens on the OSG slack. I'm adding it here so it isn't forgotten.

I think it would be very useful to be able to restrict the audience as well as the scope when defining a role. It seems like this could be implemented by setting token_url_params in the role config.

Thanks, Ron

Vault has a rate limiting feature that should be enabled by default and allowed to be configured through htvault-config yaml files.

Currently the ssh options (disabled, self-registration disallowed, self-registration allowed) is global. There may be different requirements for different VOs sharing a vault server. Also, shared roles probably should not allow self-registration of ssh keys, but some VOs might want it for non-shared roles.

There are 4 checks in config.sh that do [ ! -f policies/... ] to detect whether something has changed, but at least the two for tokenops and the one for oidc are done after the policy files are generated, so another way of detecting the change is needed.

I would like a secondary ligo kerberos to be selected for the ligo-test issuer, somehow.

Currently if 'name' is not in a list, I get this python trace:

Traceback (most recent call last):
  File "/usr/libexec/htvault-config/jsontobash.py", line 54, in <module>
    main()
  File "/usr/libexec/htvault-config/jsontobash.py", line 51, in main
    convertbash("", combined)
  File "/usr/libexec/htvault-config/jsontobash.py", line 29, in convertbash
    convertbash(pfx + '_' + checkbashvar(key), data[key])
  File "/usr/libexec/htvault-config/jsontobash.py", line 36, in convertbash
    convertbash(pfx + '_' + checkbashvar(name), item)
  File "/usr/libexec/htvault-config/jsontobash.py", line 29, in convertbash
    convertbash(pfx + '_' + checkbashvar(key), data[key])
  File "/usr/libexec/htvault-config/jsontobash.py", line 32, in convertbash
    convertbash(pfx, ' '.join([item['name'] for item in data]))
  File "/usr/libexec/htvault-config/jsontobash.py", line 32, in <listcomp>
    convertbash(pfx, ' '.join([item['name'] for item in data]))
KeyError: 'name'
Failure converting config.json to config.bash

setcap is already set on the vault executable. Try setting it on the plugins and removing disable_mlock from vault.hcl, or making it an option for development.

The htgettoken --minsecs option seems to be having no effect. I looked in the htvault-config audit log and see the minimum_seconds being requested as expected, but a new access token is not retrieved from the secrets plugin.

There are very likely going to be cases where ssh public keys should be supplied through the VO instead of self-registration. I believe that could be done through id token claim mapped to metadata that htgettoken sees. It may be sufficient if htgettoken then disallows the --registerssh option if that metadata is seen, while htvault-config continues to allow self-registration which htgettoken just does in a different way (that is, by passing in the public key metadata from the id token).

I saw some strange errors that I believe where caused by a duplicated definition of a production role. See if they can be reproduced and made to be more self-explanatory or eliminated. There were errors like

Error enabling kerberos auth: Error making API request.

URL: POST http://127.0.0.1:8202/v1/sys/auth/kerberos-uboone_production
Code: 400. Errors:

* path is already in use at kerberos-uboone_production/

and

Success! Uploaded policy: kerberosuboone_production
mv: cannot stat ‘policies/oidcuboone_production.hcl.new’: No such file or directory
chmod: cannot access ‘policies/oidcuboone_production.hcl’: No such file or directory
Error opening policy file: open policies/oidcuboone_production.hcl: no such file or directory
mv: cannot stat ‘policies/kerberosuboone_production.hcl.new’: No such file or directory
chmod: cannot access ‘policies/kerberosuboone_production.hcl’: No such file or directory
Error opening policy file: open policies/kerberosuboone_production.hcl: no such file or directory

If a peer name or my own name changes, first do vault operator raft remove-peer on the old name. I think that should work, but test it.

Currently roles are only deleted if they disappear. They should also get deleted (& reloaded of course) if the list of scopes in the role changes.

Title says it all

There's currently no code to disable the per-issuer and role kerberos modules when those roles or whole issuers go away. There is code to delete the corresponding policies for both oidc and kerberos, so it could probably go where DELETEDPOLICIES is updated with kerberos (set KERBSERVICE=kerberos-${ISSUER}_${ROLE}).

The auditlog keeps all the traffic between vault and its client, but we have no similar log for traffic between vault and the token issuer. This makes problems very difficult to debug. The majority of traffic exchanged with the token issuer is with the Puppetlabs vault-plugin-secrets-oauthapp, but there is also traffic through the Hashicorp vault-plugin-auth-jwt and ideally there would be a mechanism for both.

Include 42wim/vault-plugin-auth-ssh#21 in htvault-config, for JLab which is using email addresses as the role key.

Currently kerberos authentication creates a vault token with access to all the refresh tokens stored for a user, on all issuers and roles. That's not so bad for local host access, but not so good from a threat model perspective when vault tokens are passed along to other services. Configure a separate kerberos module per issuer with a policy only allowing access to the corresponding issuer's secrets, and possibly per role within those issuers as well. Will require a cooperative change in htgettoken.

Add an option to enable prometheus monitoring. Would be much more useful along with collecting oauth metrics as requested in this puppetlabs plugin issue.