Comments (8)
As far as I know, those names aren't available via the API. At least, the service broker API doesn't seem to expose them. Additionally, this is a rather large security risk, since a rename of a group would inherit policies of that group.
from vault-service-broker.
We have a similar need for this, to allow us to share secrets across multiple production cloud foundry installations.
We were contemplating making a PR that would look up the names from the CF CLI (would require the broker to have a uaa client with admin-read-only privileges), and then mount paths like cf/<organization-name
cf/organization-name/space-name
, and cf/organization-name/app-name
(if we can even nest mounts)
Would this be something you'd entertain for the broker @sethvargo ?
from vault-service-broker.
Hey @geofffranks,
This is matching up with a series of needs we've seen with other Vault users. Would love to setup some time to chat, as other members within the Vault team will be managing the PCF broker going forward.
Thanks!
from vault-service-broker.
@amanoske Sounds great! How should we coordinate?
from vault-service-broker.
@amanoske When would a good time to talk about this feature be?
from vault-service-broker.
I know this issue is old, but I saw it and thought I'd circle back on it now.
I did some poking on this and found that it is possible to create a PCF client and do API calls to get the names for orgs, spaces, applications, and service instances using their respective IDs. However, I don't think we should do it for two main reasons - security, and maintenance.
On the security issues, if users were able to provide arbitrary input at any point that went into naming a path, it would be possible to use it to try to dip into spaces with Vault they shouldn't have access to. It also might be possible to dip into a path that had had the same name previously.
On the maintenance issues, what if something were renamed? Things pointed at the old path could diverge from those pointed at the new path. Then there'd need to be a manual migration of secrets, and of getting the old apps to point at the new space. To me the behavior here isn't totally clear and I worry that what seems nice could actually become a way to shoot oneself in the foot.
Anyways, I totally get the UX perspective here of wanting human-readable paths. Yes, that would be wonderful and is a totally valid request! However, I think that the security and maintenance issues outweigh the convenience.
from vault-service-broker.
@amanoske Those are considerations I hadn't thought of! However, to be clear, this is not a matter of human-readiblity or convenience for us, it's a requirement in order to be able to use the vault service broker when deploying across multiple PCF foundations.
We have two separate PCF foundations in separate datacenters, managed to have the same ORGs and SPACEs and users. We then use a tool to deploy all apps to both foundations simultaneously. Everything works fine there, but the ORGs and SPACEs have different GUIDs, so an app that's in DC1 can't read/write any secrets from the same app in the same org and space in DC2. Without that ability, it breaks our approach of treating the separate foundations as one.
Hopefully that helps clarify what our need is. Let me know if you have any other questions around this. And thanks for looking back into it!
from vault-service-broker.
Has there been any movement on this?
from vault-service-broker.
Related Issues (20)
- Support for PKI Backend ? HOT 4
- Database error when deleting app using vault broker HOT 3
- Bug while renewing the client tokens for the Binds
- The id field of the plan does not pass a guid regex check HOT 6
- Add Dockerfile HOT 2
- Should different CF apps get different policies? HOT 6
- Examples of how to use the service broker HOT 6
- Vault cli add and update secret HOT 2
- Error renewing Vault token while starting broker
- Error binding to Vault HOT 1
- Support for Namespaces HOT 2
- using name-space in vault HOT 1
- failed to start broker failed to create mounts: x509: certificate signed by unknown authority HOT 4
- Is there any plans create a PCF Tile Deployment?
- sys/policies/acl/cf 403 on binding vault to app HOT 1
- The service broker failed to connect to a Vault server configured with a self-signed certificate
- How an bound app can connect to a Vault cluster in High Availability (HA) mode?
- Project still maintained & Unbind + Service deletion not working for mounts HOT 1
- GitHub Actions - deprecated warnings found - action required!
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-service-broker.