-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Do not merge] Identity templating support for allowed_domains-option for PKI secret engine's issue API call #6558
[Do not merge] Identity templating support for allowed_domains-option for PKI secret engine's issue API call #6558
Conversation
…gine's issue API call.
@jefferai Does this PR cover what you suggested about applying identity templating to CN constraints? Thanks. |
@jefferai We still require a way to impose constraints on the CN of a PKI's Dont mind changing to explicit role parameters either. But the problem is at this moment is that we can only use the deprecated |
The mechanics are fine, I think there is just a larger question on which parameters such templating should be activated (existing, new, or both), and whether by default or not. |
This PR looks good to me. It satisfies multiple feature requests and @jefferai's request for implementation via identity templating. I think it would be nice to enable identity templating on all RDNs, but CN is definitely the most common one, so can we start with that? I think enabled by default is fine, since it's controlled by the PKI role. |
I've got a need to use support for templated roles in the allowed_uri_sans field too. I'm happy to extend this pull request and add support for this, plus also a unit test, early next week. |
I created #7216 based off this PR. The new pull request includes template support for the allowed_uri_sans field and adds tests. It also avoids a null pointer dereference if EntityInfo returns nil, which may happen if token auth is being used. I wasn't sure if creating a new PR or trying to get this one updated was the right approach. I decided to go ahead and make another PR, and can always cancel it if this PR is updated. |
Waiting for this feature! |
me too |
What was blocking this feature going forward? Any way to unblock those discussions? |
Closing because the PR author has a newer PR that implements the same feature (#8509). |
Closing due to Nick's previous comment. |
This MR applies identity templating to the
allowed_domains
option of the PKI secret engine'sissue
API call. For example, the PKI secret engine configuration below only allows domains that are equal to the auth method alias's name.This is an improvement over the
allow_token_displayname
, which is considered insecure and deprecated, in favor of using exported entity data with more attributes like aliases and metadata, from the authentication methods to secret engines.We have tested the MR at our testing environment, and it works as a solution for #6457.