-
Notifications
You must be signed in to change notification settings - Fork 681
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GUACAMOLE-641: Add support for populating arbitrary parameter tokens from key vaults. #336
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Initial review, with some minor questions/comments and a couple of minor things to fix, but, unsurprisingly, overall it looks good. Worth noting that I do not have a way to test it...
extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/pom.xml
Outdated
Show resolved
Hide resolved
...in/java/org/apache/guacamole/auth/vault/azure/AzureKeyVaultAuthenticationProviderModule.java
Outdated
Show resolved
Hide resolved
...in/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultAuthenticationException.java
Outdated
Show resolved
Hide resolved
...azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultCredentials.java
Outdated
Show resolved
Hide resolved
...e/src/main/java/org/apache/guacamole/auth/vault/azure/secret/AzureKeyVaultSecretService.java
Outdated
Show resolved
Hide resolved
...ole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContext.java
Outdated
Show resolved
Hide resolved
...ole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContext.java
Outdated
Show resolved
Hide resolved
…iom. From apache#336 (comment): > > SLF4J formerly recommended that instance variables be used > (non-static), but no longer takes either stance: > https://www.slf4j.org/faq.html#declared_static > > If we have to pick something to be the standard going forward, I'd > say let's stick with the accepted idiom of `private static final` > loggers, with the exception being where it's actually necessary to > not be `static` (dependency injection). >
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay in getting back to reviewing this. 6 months goes by quick. A few more comments and items to fix up...
extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/pom.xml
Outdated
Show resolved
Hide resolved
extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/pom.xml
Outdated
Show resolved
Hide resolved
...lt-base/src/main/java/org/apache/guacamole/auth/vault/VaultAuthenticationProviderModule.java
Outdated
Show resolved
Hide resolved
...lt-base/src/main/java/org/apache/guacamole/auth/vault/VaultAuthenticationProviderModule.java
Outdated
Show resolved
Hide resolved
...vault-base/src/main/java/org/apache/guacamole/auth/vault/conf/VaultConfigurationService.java
Outdated
Show resolved
Hide resolved
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/TokenInjectingUserContext.java
Show resolved
Hide resolved
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/TokenInjectingUserContext.java
Show resolved
Hide resolved
guacamole-ext/src/main/java/org/apache/guacamole/token/GuacamoleTokenUndefinedException.java
Outdated
Show resolved
Hide resolved
...th-vault-base/src/main/java/org/apache/guacamole/auth/vault/VaultAuthenticationProvider.java
Outdated
Show resolved
Hide resolved
…iom. From apache#336 (comment): > > SLF4J formerly recommended that instance variables be used > (non-static), but no longer takes either stance: > https://www.slf4j.org/faq.html#declared_static > > If we have to pick something to be the standard going forward, I'd > say let's stick with the accepted idiom of `private static final` > loggers, with the exception being where it's actually necessary to > not be `static` (dependency injection). >
8da25f6
to
5415082
Compare
OK - I believe I've resolved all feedback thus far, as well as brought things up to date. I also:
BUT, I've also converted this to draft because of difficulties in obtaining the license text from the "azure-annotations" dependency. To be clear, the
As noted in the placeholder above, I've already emailed Microsoft about this, and they are tracking things down, but are unsure whether this will be resolved soon due to the holidays. I've asked whether they can send us the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, a few more comments while you wait for the feedback from Microsoft....or you don't get any feedback and we just have to pick a route and go for it.
...uacamole-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContext.java
Outdated
Show resolved
Hide resolved
...uacamole-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContext.java
Outdated
Show resolved
Hide resolved
...uacamole-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContext.java
Outdated
Show resolved
Hide resolved
...uacamole-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContext.java
Outdated
Show resolved
Hide resolved
…iom. From apache#336 (comment): > > SLF4J formerly recommended that instance variables be used > (non-static), but no longer takes either stance: > https://www.slf4j.org/faq.html#declared_static > > If we have to pick something to be the standard going forward, I'd > say let's stick with the accepted idiom of `private static final` > loggers, with the exception being where it's actually necessary to > not be `static` (dependency injection). >
ba32262
to
3559a76
Compare
…ult implementation.
…cationiProviderModule" should be "AzureKeyVaultAuthenticationProviderModule".
…iom. From apache#336 (comment): > > SLF4J formerly recommended that instance variables be used > (non-static), but no longer takes either stance: > https://www.slf4j.org/faq.html#declared_static > > If we have to pick something to be the standard going forward, I'd > say let's stick with the accepted idiom of `private static final` > loggers, with the exception being where it's actually necessary to > not be `static` (dependency injection). >
…ot provide auth).
3559a76
to
925c702
Compare
…avoid confusion with "GUAC_USERNAME". The "GUAC_USERNAME" token provided by the webapp is based off the username provided by the user when they authenticated. The username token provided by the vault extensions uses the username stored with the user's corresponding object, which may not be the same.
…okens via privileged access, if possible.
…ens only if corresponding parameters are non-empty.
925c702
to
6c6c20c
Compare
…iom. From apache#336 (comment): > > SLF4J formerly recommended that instance variables be used > (non-static), but no longer takes either stance: > https://www.slf4j.org/faq.html#declared_static > > If we have to pick something to be the standard going forward, I'd > say let's stick with the accepted idiom of `private static final` > loggers, with the exception being where it's actually necessary to > not be `static` (dependency injection). >
…iom. From apache#336 (comment): > > SLF4J formerly recommended that instance variables be used > (non-static), but no longer takes either stance: > https://www.slf4j.org/faq.html#declared_static > > If we have to pick something to be the standard going forward, I'd > say let's stick with the accepted idiom of `private static final` > loggers, with the exception being where it's actually necessary to > not be `static` (dependency injection). >
…iom. From apache#336 (comment): > > SLF4J formerly recommended that instance variables be used > (non-static), but no longer takes either stance: > https://www.slf4j.org/faq.html#declared_static > > If we have to pick something to be the standard going forward, I'd > say let's stick with the accepted idiom of `private static final` > loggers, with the exception being where it's actually necessary to > not be `static` (dependency injection). >
These changes add a new family of extensions, similar to "guacamole-auth-jdbc", which provide support for retrieval of secrets from key vaults: "guacamole-vault". Initial support for Azure Key Vault is present through the "guacamole-vault-azure" module, with the necessary structure in place to allow other implementations to be provided in the future.
The general support works as follows:
GUACAMOLE_HOME
which defines a token/secret mapping. Besides defining tokens, the names of each secret may also contain tokens which allow the secret name to vary by connection ID, hostname, username, etc. There is a specific set of tokens available for use within secret names.This thus allows secret values like passwords and private keys to be stored off-site within the vault and retrieved dynamically based on context.