Comments (8)
@kkronenb @TJM I'm considering transferring this to the Discussion section. This will allow better threading, etc.
What do you think?
from vault-plugin-secrets-artifactory.
@kkronenb If I understand your use case, I'm curious why creating multiple roles (vs explicitly setting reduced scope) are not desirable.
from vault-plugin-secrets-artifactory.
That is a possibility, but is undesirable from a maintenance stand point. When we new repo/group is added to artifactory, we must make a corresponding configuration update to Vault as well. If we have the ability to request a token with a specific scope, this dual configuration goes away.
We currently have 28 groups in artifactory for example. This quickly becomes an administrative hurdle in Vault.
from vault-plugin-secrets-artifactory.
My reasoning for wanting scoped down tokens is that it decouples artifactory administration from vault administration. When a new group is added to artifactory, there is no need to make a corresponding role in vault which requires additional overhead.
from vault-plugin-secrets-artifactory.
Turns out adding this functionality was pretty trivial.
diff --git a/path_token_create.go b/path_token_create.go
index abdb9a2..55c8e18 100644
--- a/path_token_create.go
+++ b/path_token_create.go
@@ -24,6 +24,10 @@ func (b *backend) pathTokenCreate() *framework.Path {
Type: framework.TypeDurationSecond,
Description: `Override the maximum TTL for this access token. Cannot exceed smallest (system, backend) maximum TTL.`,
},
+ "scope": {
+ Type: framework.TypeString,
+ Description: `Override the scope for this access token.`,
+ },
},
Operations: map[logical.Operation]framework.OperationHandler{
logical.ReadOperation: &framework.PathOperation{
@@ -88,6 +92,13 @@ func (b *backend) pathTokenCreatePerform(ctx context.Context, req *logical.Reque
}
}
+ scope := data.Get("scope").(string)
+
+ //use the overridden scope rather than role default
+ if len(scope) != 0 {
+ role.Scope = scope
+ }
+
var ttl time.Duration
if value, ok := data.GetOk("ttl"); ok {
ttl = time.Second * time.Duration(value.(int))
Key Value
--- -----
lease_id artifactory/token/drone/FAf5YgaZKbKBEgRO0zit334F
lease_duration 1h
lease_renewable true
access_token REDACTED
role drone
scope applied-permissions/groups:*
token_id 62388d00-91e8-40a6-af74-95801ef7869d
username v-drone-sibnkfl8
vault read artifactory/token/drone scope="applied-permissions/groups:readonly"
Key Value
--- -----
lease_id artifactory/token/drone/5RZesfUWFxRfq5vX5venXnLR
lease_duration 1h
lease_renewable true
access_token REDACTED
role drone
scope applied-permissions/groups:readonly
token_id 62f07108-ec3e-4a7b-a253-68861c3698e4
username v-drone-CtuWW5k8```
from vault-plugin-secrets-artifactory.
@kkronenb Yes, that's right. The coding part is straightforward, I'm thinking through the ramification of allowing scope
being settable for the creation of the token. I feel that in theory we need to ensure we don't allow privilege escalation (expanding scope) but in practice it may be non-trivial.
This is provisionally in our plan for Q1 2024.
from vault-plugin-secrets-artifactory.
That is tricky, even if you limited the scope to applied-permissions.groups:
, there are still groups you don't necessarily want tokens generated for (global-admins or whatever). I suppose that would be a Vault policy issue. You could just call the endpoint "group-token" (artifactory/group-token) and the requested name (artifactory/group-token/jenkins) becomes the group name? I think we (tried to do/did) something similar for user tokens a while back. You could certainly have an "allow/deny" list (supporting regex) for group-names, and of course need the ability to enable/disable it all together for people that want more control (creating the roles themselves). You could also just have a role for group-tokens that takes an argument (group=whatever) so it would be like: vault read artifactory/token/group group=jenkins
, which has the advantage of not changing the endpoints, but from a vault policy perspective, it may be easier to have allow/deny based on path than options? (maybe?)
I definitely do not think you should allow requestors to specify whatever raw scope they want, because if you do that, you might as well just create an admin role and be done with it. :)
Tommy
from vault-plugin-secrets-artifactory.
First, thank you both for the conversation around this, I appreciate enumerating the issues.
@TJM I definitely do not think you should allow requestors to specify whatever raw scope they want, because if you do that, you might as well just create an admin role and be done with it. :)
This is exactly what I want. We use the same pattern with the github plugin where Vault is a vending machine for github PATs and can mint anything from org readonly to repo admin from a single plugin role. This is all controlled by Vault policies.
By definition in the instructions, the Vault Access Token is already an admin token. All this change is doing is moving from an implicit scope with multiple roles to an explicit scope via request. Both of these cases need to be addressed by Vault policies; either granting it based on path
with the role name providing the implicit scope, or via path
and allowed_parameters
with the explicit scope.
This change could be an opt in when configuring the plugin where the existing behavior is the default.
from vault-plugin-secrets-artifactory.
Related Issues (20)
- Verification Steps: Signature on GPG Key? HOT 9
- include_reference_token and refreshable not working when configured by default HOT 3
- non-admin token HOT 2
- dev version suggestion HOT 4
- slashes in admin token username shows wrong username HOT 1
- Allow for "username" parameter on /config/rotate to change token username HOT 1
- make acceptance uses inconsistent env variables HOT 2
- Test Coverage Improvement
- Bump version to 1.0.0 HOT 2
- Renaming repository HOT 4
- GPG Signed *binary* sha256sums in release HOT 5
- Future Makefile ideas
- Embed current version changes (like from the changelog) in release HOT 1
- DELETE artifactory/config/admin should revoke its own access token HOT 7
- Should DELETE artifactory/config/admin cleanup all leased tokens? HOT 3
- BATs acceptance tests? HOT 2
- Add User-Agent string to Artifactory API HTTP request header
- useExpiringTokens should be TypeBool
- test: config/rotate with a bad current token returns the wrong error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-plugin-secrets-artifactory.