Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Secure Consul Ph. 2] Implement create/update policies and roles in Consul bootstrapper #3254

Closed
jim-wang-intel opened this issue Mar 15, 2021 · 0 comments · Fixed by #3273
Closed

[Secure Consul Ph. 2] Implement create/update policies and roles in Consul bootstrapper #3254

jim-wang-intel opened this issue Mar 15, 2021 · 0 comments · Fixed by #3273
Assignees
@jim-wang-intel
Labels
enhancement New feature or request ireland security-services
Milestone
Ireland

Comments

@jim-wang-intel
Copy link
Contributor

jim-wang-intel commented Mar 15, 2021
edited
Loading

🚀 Feature Request

Relevant Package

This feature request is for Consul bootstrapper

Description

Based on ADR: Consul bootstrapper will install a role in Vault that creates global-management tokens in Consul with no TTL.
This will require to create a step or implementation for setupRegistryACL to install a role to Vault's consul secret engine.

Describe the solution you'd like

  1. In this step we would like to associate the management toke or agent token with a role and the creating/updating of this role can be done via Vault's Consul secret engine API /consul/role/<name> details please see https://www.vaultproject.io/api/secret/consul#create-update-role
  2. the policy still associate with whatever policy was set with the agent token, in which is mgmt type of role
  3. Note: before switching the agent's default_policy to "deny", we should create an agent server policy (including node/key type of ACL properties) and also create a role associate with that policy. We can call this EdgeX agent (or node) policy.
  4. One example of node/agent server policy looks something like:
# HCL definition for Consul server agent policy
node "" {
  policy = "write"
}
agent "" {
  policy = "write"
}
service "" {
  policy = "read"
}
node_prefix "" {
  policy = "write"
}
service_prefix "" {
  policy = "read"
}
# allow kv put
key_prefix "" {
  policy = "write"
}

Describe alternatives you've considered

Have you considered any alternative solutions or workarounds?
@jim-wang-intel jim-wang-intel added this to the Ireland milestone Mar 15, 2021
@jim-wang-intel jim-wang-intel self-assigned this Mar 15, 2021
@jim-wang-intel jim-wang-intel changed the title [Secure Consul Ph. 2] Implement create/update roles in Consul bootstrapper [Secure Consul Ph. 2] Implement create/update policies and roles in Consul bootstrapper Mar 15, 2021
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Mar 18, 2021
@jim-wang-intel
feat(security): Implementation for adding ACL policies and roles
81908f6 
New addition for implementing for Consul's ACL policies creation and roles for Consul tokens generated later on
 - Add logic to check whehter the ACL policy is already pre-existing before creation of new policy
 - Add implementation to create a new ACL policy
 - Add implementation to create a role for EdgeX's services via Vault's /consul/roles/* APIs: this sets the stage for creating role-based Consul tokens used by EdgeX services
 - Add logic for creating token roles based on EdgeX service keys from configuration file
 - Add implementation to create registry management token and store it into a file
 - Update token-file-provider on edgex's default policy to add the permission for calling /consul/creds/"service-key" endpoint

Closes: edgexfoundry#3158, edgexfoundry#3254, edgexfoundry#3160

Signed-off-by: Jim Wang <[email protected]>
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Mar 18, 2021
@jim-wang-intel
feat(security): Implementation for adding ACL policies and roles
1563183 
New addition for implementing for Consul's ACL policies creation and roles for Consul tokens generated later on via `go-mod-secret`
 - Add logic to check whether the ACL policy is already per-existing before creation of new policy
 - Add implementation to create a new ACL policy
 - Add implementation to create a role for EdgeX's services via Vault's /consul/roles/* APIs: this sets the stage for creating role-based Consul tokens used by EdgeX services
 - Add logic for creating token roles based on EdgeX service keys from configuration file
 - Add implementation to create registry management token and store it into a file
 - Update token-file-provider on edgex's default policy to add the permission for calling /consul/creds/"service-key" endpoint

Closes: edgexfoundry#3158, edgexfoundry#3254, edgexfoundry#3160

Signed-off-by: Jim Wang <[email protected]>
@jim-wang-intel jim-wang-intel mentioned this issue Mar 18, 2021
Merged
3 tasks
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Mar 19, 2021
@jim-wang-intel
feat(security): Implementation for adding ACL policies and roles
8d101f2 
New addition for implementing for Consul's ACL policies creation and roles for Consul tokens generated later on via `go-mod-secret`
 - Add logic to check whether the ACL policy is already per-existing before creation of new policy
 - Add implementation to create a new ACL policy
 - Add implementation to create a role for EdgeX's services via Vault's /consul/roles/* APIs: this sets the stage for creating role-based Consul tokens used by EdgeX services
 - Add logic for creating token roles based on EdgeX service keys from configuration file
 - Add implementation to create registry management token and store it into a file
 - Update token-file-provider on edgex's default policy to add the permission for calling /consul/creds/"service-key" endpoint

Closes: edgexfoundry#3158, edgexfoundry#3254, edgexfoundry#3160

Signed-off-by: Jim Wang <[email protected]>
@jim-wang-intel jim-wang-intel linked a pull request Mar 19, 2021 that will close this issue
feat(security): Implementation for adding Consul ACL policies, roles #3273
Merged
3 tasks
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Mar 19, 2021
@jim-wang-intel
feat(security): Implementation for adding ACL policies and roles
c258ad2 
New addition for implementing for Consul's ACL policies creation and roles for Consul tokens generated later on via `go-mod-secret`
 - Add logic to check whether the ACL policy is already per-existing before creation of new policy
 - Add implementation to create a new ACL policy
 - Add implementation to create a role for EdgeX's services via Vault's /consul/roles/* APIs: this sets the stage for creating role-based Consul tokens used by EdgeX services
 - Add logic for creating token roles based on EdgeX service keys from configuration file
 - Add implementation to create registry management token and store it into a file
 - Update token-file-provider on edgex's default policy to add the permission for calling /consul/creds/"service-key" endpoint

Closes: edgexfoundry#3158, edgexfoundry#3254, edgexfoundry#3160

Signed-off-by: Jim Wang <[email protected]>
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Mar 22, 2021
@jim-wang-intel
feat(security): Implementation for adding ACL policies and roles
ade5e89 
New addition for implementing for Consul's ACL policies creation and roles for Consul tokens generated later on via go-mod-secret
 - Add logic to check whether the ACL policy is already per-existing before creation of new policy
 - Add implementation to create a new ACL policy
 - Add implementation to create a role for EdgeX's services via Vault's /consul/roles/* APIs: this sets the stage for creating role-based Consul tokens used by EdgeX services
 - Add logic for creating token roles based on EdgeX service keys from configuration file
 - Update token-file-provider on edgex's default policy to add the permission for calling /consul/creds/"service-key" endpoint

Closes: edgexfoundry#3254, edgexfoundry#3160

Signed-off-by: Jim Wang <[email protected]>
jim-wang-intel added a commit that referenced this issue Mar 22, 2021
@jim-wang-intel
feat(security): Implementation for adding ACL policies and roles (#3273)
8b8c045 
New addition for implementing for Consul's ACL policies creation and roles for Consul tokens generated later on via go-mod-secret
 - Add logic to check whether the ACL policy is already per-existing before creation of new policy
 - Add implementation to create a new ACL policy
 - Add implementation to create a role for EdgeX's services via Vault's /consul/roles/* APIs: this sets the stage for creating role-based Consul tokens used by EdgeX services
 - Add logic for creating token roles based on EdgeX service keys from configuration file
 - Update token-file-provider on edgex's default policy to add the permission for calling /consul/creds/"service-key" endpoint

Closes: #3254, #3160

Signed-off-by: Jim Wang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jim-wang-intel jim-wang-intel

Labels
enhancement New feature or request ireland security-services
Projects
None yet
Milestone
Ireland
Development

Successfully merging a pull request may close this issue.

feat(security): Implementation for adding Consul ACL policies, roles jim-wang-intel/edgex-go
1 participant
@jim-wang-intel