Ability to list all secret path names from the SecretProvider #348
Comments
ajcasagrande
changed the title
|
@bnevis-i , @jim-wang-intel , I know we could do this with InsecureSecrets since it is just reading the config and collecting all the |
|
There is no server-supported way to do this, in fact, there has been a PR against Vault that offered just this functionality that was closed without merging because it could possibly bypass the ACL system. There were also concerns that the various storage backends are not optimized for this kind of query. I could be very inefficient or impossible to do this for a service-based backend, but easy for a database backend. That leaves client implementations. It would be impossible to start such a search at the root because the ACL system would forbid it. That means one would have to start at a known path and then iterate recursively on the client side. We would have to write all the code by hand. Because of the ACL system, there is no security concern doing this strictly from the client side. So, we could implement |
|
@bnevis-i Really what I would be after is to get the top level secrets for the current running EdgeX service. I am not familiar enough with EdgeX's Vault usage, but I assume each service is segregated out, maybe in their own "basePath"? In that case the Essentially if there are the following secrets {
"apiVersion":"v2",
"path": "FooCreds",
"secretData":[
{
"key":"username",
"value":"..."
},
{
"key":"password",
"value":"..."
}
]
}I would just want the list of those 3 names |
|
Yes, the root level (well, base of the service) is doable. I though GetSecrets without a secret list already did this? Or was it a list of keys that it takes? |
@bnevis-i yeah it takes a path and then list of keys, where the list of keys being empty means retrieve all sub-keys, unless there is a Vault specific implementation not exposed on the interface level. // GetSecret retrieves secrets from the service's SecretStore at the specified path.
GetSecret(path string, keys ...string) (map[string]string, error)Im running in non-secure mode right now, but that implementation at least does not let me do: sdk.RunningService().SecretProvider.GetSecret("") // returns "Error, path () doesn't exist in secret store"
sdk.RunningService().SecretProvider.GetSecret("/") // returns "Error, path (/) doesn't exist in secret store" |
|
I think Should do what you need, where
Where HOME is defined in the configuration.toml as [SecretStore].Path (internally prefixed with /v1/secret/edgex/ for purposes of the http request) |
bnevis-i
changed the title
|
@ajcasagrande When reviewing paths for listing secrets, consul returns all sub-directories, see example one (1) below. In your mentioning above, you only want top-level paths returned as defined in example two (2), correct? Example 1 (Actual list returned): Consul: Path used "edgex/appservices/2.0/app-rules-engine" [
"edgex/appservices/2.0/app-rules-engine/Clients/core-metadata/Host",
"edgex/appservices/2.0/app-rules-engine/Clients/core-metadata/Port",
"edgex/appservices/2.0/app-rules-engine/Clients/core-metadata/Protocol",
"edgex/appservices/2.0/app-rules-engine/Database/BatchSize",
"edgex/appservices/2.0/app-rules-engine/Database/Host",
"edgex/appservices/2.0/app-rules-engine/Database/MaxIdle",
"edgex/appservices/2.0/app-rules-engine/Database/Port",
"edgex/appservices/2.0/app-rules-engine/Database/Timeout",
"edgex/appservices/2.0/app-rules-engine/Database/Type",
"edgex/appservices/2.0/app-rules-engine/HttpServer/HTTPSCertName"
]
Example 2 (proposed list returned - top level): Consul: Path used "edgex/appservices/2.0/app-rules-engine" [
"edgex/appservices/2.0/app-rules-engine/Clients/",
"edgex/appservices/2.0/app-rules-engine/Database/",
"edgex/appservices/2.0/app-rules-engine/HttpServer/"
]
Valult returns a list of keys as defined in Example three (3), which includes top-level keys and sub-directories. If this meets your expectations then I can complete the update. {
"request_id": "26e5426d-7184-801b-c106-eeaf6f085d64",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"keys": [
"app-rules-engine/",
"core-command/",
"core-data/",
"core-metadata/",
"security-bootstrapper-redis/",
"support-notifications/",
"support-scheduler/"
]
},
"wrap_info": null,
"warnings": null,
"auth": null
}
|
For insecure secrets you don't need to go to Consul. Service may not be using Consul.You just need to look at the InescureSecrets map in the Service's loaded configuration. |
For Vault you have the services' SecretStore listed, not the Secrets that a service has. Remember that this API is looking at the list of secret paths for a current service. |
This is correct. I misspoke on my terminology usage of consul. I was testing getting insecure secrets with the API and all paths are returned. |
This a a per service thing. So the single URL for view InsecureSecrets for |
Signed-off-by: Kyle Morton <[email protected]>
@bnevis-i it is much simpler since |
Signed-off-by: Kyle Morton <[email protected]>
Signed-off-by: Kyle Morton <[email protected]>
Signed-off-by: Kyle Morton <[email protected]>
* feat: Add SecretProvider API to list secrets paths for the current service #348 Signed-off-by: Kyle Morton <[email protected]>
🚀 Feature Request
Relevant Package [REQUIRED]
go-mod-bootstrap SecretProvider
Description [REQUIRED]
Not sure if this would introduce a secerity concern (though it only removes a small amount of security through obscurity which isn't really security anyways).
It would be nice to be able to list the path names for all secrets in the SecretStore. The target use case I envision would be the ability to do something like this:
This is currently not possible because you cannot get a list of all of the secret names/paths, you need to know the name/path beforehand.
Describe the solution you'd like
Something like this (name is just a suggestion):
Describe alternatives you've considered
Not really any alternatives or workarounds.
The text was updated successfully, but these errors were encountered: