Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vault authentication planned ? #323

Open
LordFPL opened this issue Mar 16, 2018 · 5 comments
Open

Vault authentication planned ? #323

LordFPL opened this issue Mar 16, 2018 · 5 comments

Comments

@LordFPL
Copy link

LordFPL commented Mar 16, 2018

Hello,
We use more and more Vault (Hashicorp) in our company, and I wonder if it was planned an integration of this type?
I am starting to test authentications under readonlyrest, and am a bit embarrassed on password side with the two main ones:

  • login / pass in in ror = leads the configuration in hard side application client, and a change in two place when one wishes to make the rotation of password (ror + client).
  • authentication via ldap = a clear client-side password and an account creation on a directory just to access an application (but a rotation of password doesn't need a restart of ror).

Vault on the other hand, from my point of view, will allow:

  • dynamic recovery of a client-side token (for example, via an approle).
  • access control side ror via vault with list of token associated vault policies.
  • potentially, use of the content of policies for indices allowed or not.

For now ldap authentication will in any case allow us to do many things (thank you for this plugin! :)), but I'll be curious to know your opinion on this possible evolution.

Thx in advance.

@sscarduzio
Copy link
Owner

I'm pretty sure with a minimum of devops skills you can wrap ROR deployment and hook the decoded secrets into environmental variables, which are by the way supported in readonlyrest.yml.

What do you think?

@sscarduzio
Copy link
Owner

@LordFPL or did you mean implementing vault as a runtime authentication connector like we have LDAP?

@LordFPL
Copy link
Author

LordFPL commented Mar 18, 2018

Hello,

Sorry for late answer. Yes, i mean a runtime authentication like ldap. I actually run elasticsearch cluster with nomad, and all config is already taken via vault (readonlyrest.yml and elasticsearch config file are generated via dynamic vars).
My main "problem" (it's not a very critical problem ;)) is the two main auth in readonlyrest are not totaly satisfying me... login/pass in conf is too static... and ldap is mainly (imho) for "humans".
I already use vault for other usage, and i love the approle method for apps, and all the possible auditing with it.
That's why i ask your opinion about this future feature :)

Thx for your time and all you already done :)

@sscarduzio
Copy link
Owner

Got it, and it's quite interesting idea. Too bad I didn't find any asynchronous vault library for Java. 🤦🏻‍♂️

@LordFPL
Copy link
Author

LordFPL commented Mar 26, 2018

In my case, i can find a solution with a watch for change in vault... and regenerate the readonlyrest config... but if i understand well, hot reload is not possible ?

For information, i read a post on hashicorp page about an integration with JWT (https://www.hashicorp.com/blog/secure-kubernetes-deployments-vault-banzai-cloud)... but i'm not a develloper... and i don't understand well JWT tokens...

In all case, thx for reading :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants