Comments (6)
I appreciate your suggestion. What is missing in the existing session manager to meet your requirements?
We would rather want to reuse existing infrastructure (also for the reactive side) to avoid introducing additional unrelated complexity.
from spring-vault.
What is missing in the existing session manager to meet your requirements?
Our requirement is to allow regeneration of token (not renewal - because our policy does not allow renewal) in the session manager. If I'm understanding correctly, the current LifecycleAwareSessionManager which gets autoconfigured can only renew (if the token can be renewed), but not regenerate the token. To maintain the current behavior, this feature could be implemented behind a configuration option.
I would be happy to assist with contribution if this is something that would be desired.
from spring-vault.
If I'm understanding correctly, the current LifecycleAwareSessionManager which gets autoconfigured can only renew (if the token can be renewed), but not regenerate the token.
Session managers obtain a new token if the current one is expired. Renewal is attempted until hitting max_ttl
. Since I'm not familiar with the actual setup for your tokens, help is appreciated to try out our session managers and report back what is happening vs. what needs to be done to enable your use case.
I could well imagine that if the token isn't renewable, then our renewal scheduler doesn't get activated and therefore, an expired token remains active. With that scenario in mind, we could still enable a background thread to monitor the token. If the token is about to expire, we drop the token and request a new one.
That's similar to what we do now, except that we attempt renewal before we detect whether a token is about to expire.
from spring-vault.
Ah I see, it seems I was misunderstanding. I now see this comment at the top of the LifeCycleSessionManager:
* If Token renewal runs into a client-side error, it assumes the token was
* revoked/expired. It discards the token state so the next attempt will lead to another
* login attempt.
I think the bug here is that the renewal does not get scheduled if the token can't be renewed, therefore the token never gets revoked, and the subsequent request does not regenerate the token/login again. I can confirm this behavior with our application and provide a minimal replicable example, but I think it's pretty clear from the existing session manager code that this is the behavior.
With that scenario in mind, we could still enable a background thread to monitor the token. If the token is about to expire, we drop the token and request a new one.
I think this is a good solution. I'm thinking it could be implemented in a similar way to token renewal - schedule a task to set the current token to Optional.empty() at the lease_duration timeout. Then the next request will regenerate the token. Does that work for you?
from spring-vault.
That sounds straight-forward. We have a few utilities to calculate a point in time when the token is expected to expire with an additional threshold that can drop the token a tad earlier to avoid token usage in the second it is about to expire.
from spring-vault.
Ok, that makes sense, I'm familiar with the configs you mentioned. I'll try to make this contribution soon.
from spring-vault.
Related Issues (20)
- EnvironmentVaultConfiguration does not check for spring.cloud prefix by default. HOT 3
- Leases no longer revoked after stopping `SecretLeaseContainer` HOT 3
- Refresh authentication token and leases related to it after expire of authentication token HOT 3
- Release Spring Vault 3.1.1
- Upgrade to Spring Data 2023.1.2
- Upgrade to Spring Framework 6.1.3
- Upgrade to Project Reactor 2023.0.2
- Upgrade dependencies
- Extend copyright license headers to 2024
- Leases no longer revoked after stopping SecretLeaseContainer HOT 3
- Assistance Needed with Dynamic Vault Template Creation Using RoleID and SecretID HOT 1
- Private Key is `null` in `CertificateBundle` using `of(String serialNumber, String certificate, String issuingCaCertificate, String privateKey)` HOT 2
- Page not found for 2.3.3 reference doc HOT 2
- Dynamically Configure Cipher Suites for Vault Communication HOT 3
- Read-Timeout not applied with Apache Http Components and no-SSL HOT 3
- Leases no longer revoked after stopping SecretLeaseContainer #855 HOT 2
- What is the property value to set for certificate authentication name? HOT 1
- Add support for IMDSv2 on EC2 instances HOT 4
- Secret rotation failing after LoginTokenExpiredEvent HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-vault.