fermitools / htvault-config Goto Github PK
View Code? Open in Web Editor NEWConfigure a Hashicorp Vault server for use with htgettoken
License: Other
Configure a Hashicorp Vault server for use with htgettoken
License: Other
Trying to initialize a fresh installation caused a lot of problems for me on fermicloud346. Each time I would stop and start it got lots of errors about bad checksums and other errors that may have been dependent on that. Only doing a systemctl restart htvault-config
after a start cleaned it up. Try to reproduce.
Hi Dave,
This was discussed in #ligo-scitokens on the OSG slack. I'm adding it here so it isn't forgotten.
I think it would be very useful to be able to restrict the audience as well as the scope when defining a role. It seems like this could be implemented by setting token_url_params in the role config.
Thanks, Ron
Vault has a rate limiting feature that should be enabled by default and allowed to be configured through htvault-config yaml files.
Currently the ssh options (disabled, self-registration disallowed, self-registration allowed) is global. There may be different requirements for different VOs sharing a vault server. Also, shared roles probably should not allow self-registration of ssh keys, but some VOs might want it for non-shared roles.
There are 4 checks in config.sh that do [ ! -f policies/... ]
to detect whether something has changed, but at least the two for tokenops and the one for oidc are done after the policy files are generated, so another way of detecting the change is needed.
I would like a secondary ligo kerberos to be selected for the ligo-test issuer, somehow.
Currently if 'name' is not in a list, I get this python trace:
Traceback (most recent call last):
File "/usr/libexec/htvault-config/jsontobash.py", line 54, in <module>
main()
File "/usr/libexec/htvault-config/jsontobash.py", line 51, in main
convertbash("", combined)
File "/usr/libexec/htvault-config/jsontobash.py", line 29, in convertbash
convertbash(pfx + '_' + checkbashvar(key), data[key])
File "/usr/libexec/htvault-config/jsontobash.py", line 36, in convertbash
convertbash(pfx + '_' + checkbashvar(name), item)
File "/usr/libexec/htvault-config/jsontobash.py", line 29, in convertbash
convertbash(pfx + '_' + checkbashvar(key), data[key])
File "/usr/libexec/htvault-config/jsontobash.py", line 32, in convertbash
convertbash(pfx, ' '.join([item['name'] for item in data]))
File "/usr/libexec/htvault-config/jsontobash.py", line 32, in <listcomp>
convertbash(pfx, ' '.join([item['name'] for item in data]))
KeyError: 'name'
Failure converting config.json to config.bash
setcap is already set on the vault executable. Try setting it on the plugins and removing disable_mlock from vault.hcl, or making it an option for development.
The htgettoken --minsecs option seems to be having no effect. I looked in the htvault-config audit log and see the minimum_seconds being requested as expected, but a new access token is not retrieved from the secrets plugin.
There are very likely going to be cases where ssh public keys should be supplied through the VO instead of self-registration. I believe that could be done through id token claim mapped to metadata that htgettoken sees. It may be sufficient if htgettoken then disallows the --registerssh option if that metadata is seen, while htvault-config continues to allow self-registration which htgettoken just does in a different way (that is, by passing in the public key metadata from the id token).
I saw some strange errors that I believe where caused by a duplicated definition of a production
role. See if they can be reproduced and made to be more self-explanatory or eliminated. There were errors like
Error enabling kerberos auth: Error making API request.
URL: POST http://127.0.0.1:8202/v1/sys/auth/kerberos-uboone_production
Code: 400. Errors:
* path is already in use at kerberos-uboone_production/
and
Success! Uploaded policy: kerberosuboone_production
mv: cannot stat ‘policies/oidcuboone_production.hcl.new’: No such file or directory
chmod: cannot access ‘policies/oidcuboone_production.hcl’: No such file or directory
Error opening policy file: open policies/oidcuboone_production.hcl: no such file or directory
mv: cannot stat ‘policies/kerberosuboone_production.hcl.new’: No such file or directory
chmod: cannot access ‘policies/kerberosuboone_production.hcl’: No such file or directory
Error opening policy file: open policies/kerberosuboone_production.hcl: no such file or directory
If a peer name or my own name changes, first do vault operator raft remove-peer
on the old name. I think that should work, but test it.
Currently roles are only deleted if they disappear. They should also get deleted (& reloaded of course) if the list of scopes in the role changes.
Title says it all
There's currently no code to disable the per-issuer and role kerberos modules when those roles or whole issuers go away. There is code to delete the corresponding policies for both oidc and kerberos, so it could probably go where DELETEDPOLICIES is updated with kerberos (set KERBSERVICE=kerberos-${ISSUER}_${ROLE}).
The auditlog keeps all the traffic between vault and its client, but we have no similar log for traffic between vault and the token issuer. This makes problems very difficult to debug. The majority of traffic exchanged with the token issuer is with the Puppetlabs vault-plugin-secrets-oauthapp, but there is also traffic through the Hashicorp vault-plugin-auth-jwt and ideally there would be a mechanism for both.
Include 42wim/vault-plugin-auth-ssh#21 in htvault-config, for JLab which is using email addresses as the role key.
Currently kerberos authentication creates a vault token with access to all the refresh tokens stored for a user, on all issuers and roles. That's not so bad for local host access, but not so good from a threat model perspective when vault tokens are passed along to other services. Configure a separate kerberos module per issuer with a policy only allowing access to the corresponding issuer's secrets, and possibly per role within those issuers as well. Will require a cooperative change in htgettoken.
Add an option to enable prometheus monitoring. Would be much more useful along with collecting oauth metrics as requested in this puppetlabs plugin issue.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.