feat: Vault tokens are now identity-based instead of anonymous #4327
Conversation
| #PrivilegedTokenPath = "UNUSED" | ||
| #ConfigFile = "UNUSED" | ||
| #OutputDir = "UNUSED" | ||
| #OutputFilename = "UNUSED" |
There was a problem hiding this comment.
if we remove this, shouldn't it become breaking changes in terms of update pov?
There was a problem hiding this comment.
What this is actually doing is reusing the configuration.toml snippet from security-file-token-provider except that we don't need all of the parameters, just some of them (like the TTL on the vault token and JWT). I'm just making it clear that we don't use these parameters in spiffe-token-provider.
| // | ||
| // SPDX-License-Identifier: Apache-2.0' | ||
| // | ||
| package fileprovider | ||
| package common |
There was a problem hiding this comment.
update license header for year 2023
There was a problem hiding this comment.
Oh no! Just pushed a commit to update copyright dates.
| // Set a meta property that consuming serices can use to automatically scope secret queries | ||
| createTokenParameters["meta"] = map[string]interface{}{ | ||
| "edgex-service-name": serviceName, | ||
| randomPassword, err := credentialGenerator.Generate(context.TODO()) |
There was a problem hiding this comment.
what is context.TODO()?
There was a problem hiding this comment.
TODO returns a non-nil, empty Context. Code should use context.TODO when it's unclear which Context to use or it is not yet available (because the surrounding function has not yet been extended to accept a Context parameter)
The original implementation of the credential generator used a key derivation scheme that derived multiple passwords from the same base secret (that code used Context). We later changed it to just do random bits in base64. Context is no longer used, but left in the API to avoid having to modify a million places in the code. Per GO BKM, never pass a nil Context.
There was a problem hiding this comment.
Thanks for details explanation 👍
|
Resolved merge conflict in go.mod. |
| if identityId != "" { | ||
| err = m.secretStoreClient.DeleteIdentity(m.privilegedToken, username) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| } | ||
|
|
||
| err = m.secretStoreClient.DeleteUser(m.privilegedToken, m.userPassMountPoint, username) | ||
| if err != nil { | ||
| return err | ||
| } |
There was a problem hiding this comment.
should we make this transactional or atomic? if deleting user somehow failed then you lost identity for that user isn't it?
There was a problem hiding this comment.
I think its ok. The ACL is attached to the identity so if you delete the identity the user is really gone. You could attempt to log in as the user, but it would error out as it isn't bound to anything. Moreover, if you recreated the user it would overwrite the identity and/or login, so a partial deletion would take up space but that's about it.
And if you redeleted the user due to an error, the lookupidentity would not find an identity and it would proceed to delete the login.
There was a problem hiding this comment.
ok, good to know that creating user would get a new identity.
This is an internal refactoring of security-secretstore-setup, security-file-token-provider, and security-spiffe-token-provider to generate Vault tokens that are based on a Vault identity instead of being anonymous tokens with an attached ACL. The consequence of this refactoring is that the token issuing components of EdgeX run with fewer required privileges than before, and it is possible to ask Vault for a verifiable JWT-based identity assertion of an EdgeX service. Signed-off-by: Bryon Nevis <[email protected]>
|
Kudos, SonarCloud Quality Gate passed!
|
| @@ -157,12 +157,15 @@ func TestNoDefaultsCustomPolicy(t *testing.T) { | |||
| mockAuthTokenLoader.On("Load", privilegedTokenPath).Return("fake-priv-token", nil) | |||
|
|
|||
| expectedService1Policy := `{"path":{"secret/non/standard/location/*":{"capabilities":["list","read"]}}}` | |||
| expectedService1Parameters := makeMetaServiceName("myservice") | |||
| //expectedService1Parameters := makeMetaServiceName("myservice") | |||
There was a problem hiding this comment.
remove the dead code
This is an internal refactoring of security-secretstore-setup, security-file-token-provider, and security-spiffe-token-provider to generate Vault tokens that are based on a Vault identity instead of being anonymous tokens with an attached ACL.
The consequence of this refactoring is that the token issuing components of EdgeX run with fewer required privileges than before, and it is possible to ask Vault for a verifiable JWT-based identity assertion of an EdgeX service.
This change should be completely transparent to all existing EdgeX services.
Signed-off-by: Bryon Nevis [email protected]
PR Checklist
Please check if your PR fulfills the following requirements:
BREAKING CHANGE:describing the break)Testing Instructions
New Dependency Instructions (If applicable)