Comments (7)
@davidcorrigan714 AFAIK the plugin does not current support what you suggest. This is an excellent feature to add though. We will add this to our backlog.
from vault-plugin-secrets-artifactory.
Sounds good, mostly making sure I hadn't missed anything in the configuration. I think I'll have time to work on this later this quarter myself as it's something we were prototyping with a stand-alone service before deciding to stand up Vault. Happy to collaborate to make sure it meets code standards and makes sense with how you all would want it to work so that our work can be upstreamed.
from vault-plugin-secrets-artifactory.
@davidcorrigan714 Sounds good. When you're ready to contribute, the process is pretty standard so please open a PR and we can work through any comments, feedback, etc.
from vault-plugin-secrets-artifactory.
The ability to do this would depend on username and scope templates. Once we have the ability to use "variables" when generating the request for the token, we need to find out what is available in the context and make the necessary variables available to the template. Hashicorp has surprising little to no information, other than the code examples. :)
from vault-plugin-secrets-artifactory.
@TJM not quite sure what you're getting at, have an example of what you have in mind? I just hacked together a proof-of-concept to play with the idea it seemed to work, though maybe not as fine-grained as I might like as far as the policy or configuration which might be what you're getting at.
I created a path at /user/* where it takes the path and issues a token for the user, like so:
func (b *backend) pathUserTokenCreatePerform(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.rolesMutex.RLock()
b.configMutex.RLock()
defer b.configMutex.RUnlock()
defer b.rolesMutex.RUnlock()
user := strings.TrimPrefix(req.Path, "user/")
config, err := b.fetchAdminConfiguration(ctx, req.Storage)
if err != nil {
return nil, err
}
if config == nil {
return logical.ErrorResponse("backend not configured"), nil
}
var ttl time.Duration = 1 * time.Hour
maxLeaseTTL := b.Backend.System().MaxLeaseTTL()
maxTTL := 1 * time.Hour
if maxTTL == 0 {
maxTTL = maxLeaseTTL
} else if maxTTL > maxLeaseTTL {
maxTTL = maxLeaseTTL
}
if maxTTL > 0 && ttl > maxTTL {
ttl = maxTTL
}
b.Logger().Warn("Path: " + user)
role := &artifactoryRole{
GrantType: "client_credentials",
Username: user,
Scope: "applied-permissions/user",
Audience: "*@*",
DefaultTTL: time.Duration(ttl.Seconds()),
}
roleName := user
resp, err := b.createToken(*config, *role)
if err != nil {
return nil, err
}
response := b.Secret(SecretArtifactoryAccessTokenType).Response(map[string]interface{}{
"access_token": resp.AccessToken,
"role": roleName,
"scope": resp.Scope,
"token_id": resp.TokenId,
}, map[string]interface{}{
"role": roleName,
"access_token": resp.AccessToken,
"token_id": resp.TokenId,
})
response.Secret.TTL = ttl
response.Secret.MaxTTL = maxTTL
return response, nil
}
I created a policy:
path "artifactory/user/{{identity.entity.name}}" {
capabilities = [ "read" ]
}
I then added the OIDC provider to log me in through the corporate SSO, which aligns with our federated user names into Artifactory, so I could get a token for myself from artifactory/user/[email protected] but not artifactory/user/[email protected] .
from vault-plugin-secrets-artifactory.
Hah, see I was trying to make it more difficult. I was looking at creating a role, for example named "my-account" ... which would lookup the user identity (somehow) and then use the username during the b.CreateToken process... you are creating a new path with the username in it... nice.
from vault-plugin-secrets-artifactory.
Initial PR for feedback: #113
from vault-plugin-secrets-artifactory.
Related Issues (20)
- Verification Steps: Signature on GPG Key? HOT 9
- Scoped down tokens from artifactory role HOT 8
- include_reference_token and refreshable not working when configured by default HOT 3
- non-admin token HOT 2
- TTL is not being respected in V1.3 HOT 3
- Circle of Trust Instances cannot be Supported with expiring tokens. HOT 1
- [Question] Using bearer token for login
- Max_ttl can be exceeded when configured at plugin level HOT 4
- Access token caching in Vault HOT 4
- Admin-level setting to enable/disable refreshable tokens HOT 1
- Can't activate plugin in hashicorp/vault alpine docker image HOT 3
- Joining the Hashicorp Vault integration program & get plugin into HCP Vault & Vault Enterprise HOT 2
- Future Makefile ideas
- Embed current version changes (like from the changelog) in release HOT 1
- DELETE artifactory/config/admin should revoke its own access token HOT 7
- Should DELETE artifactory/config/admin cleanup all leased tokens? HOT 3
- BATs acceptance tests? HOT 2
- Add User-Agent string to Artifactory API HTTP request header
- useExpiringTokens should be TypeBool
- test: config/rotate with a bad current token returns the wrong error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-plugin-secrets-artifactory.