Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[req] Ability to use JWT Role Name as Identity entity alias name #217

Open
Tracked by #226
mbillow opened this issue Oct 26, 2022 · 0 comments · May be fixed by #226
Open
Tracked by #226

[req] Ability to use JWT Role Name as Identity entity alias name #217

mbillow opened this issue Oct 26, 2022 · 0 comments · May be fixed by #226
Labels
enhancement New feature or request

Comments

@mbillow
Copy link

mbillow commented Oct 26, 2022

Problem

There are certain situations where individual claims in the JWT tokens are insufficient at properly identifying a unique identity.

Take GitLab JWTs as an example. Each claim in the JWT is a distinct, disparate piece of information about which repo, branch, user, etc. caused the CI job to spawn.

This makes it impossible to have granular Identities aliased to these JWTs. The finest grain Identity we can have in this example is project_path which severely limits the usefulness of the bound_claims restrictions that can be accomplished with roles. Building on this example, if we wanted to associate an identity with CI jobs in a certain repo but only on the main branch, that is impossible.

This becomes increasingly difficult in Vault enterprise where the Identity engine is used to grant permissions within child namespaces. In order to solve this in the short term, we have mounted per-namespace auth backends and are having users create their own roles within their namespace-local backends which is potentially detrimental to our client count (core licensing metric).

Proposed Solution

Allow for the name of the role used during authentication to be used as the Identity entity alias name.

This would allow us to leverage the powerful bound_claims restrictions and map them directly to an Identity.

For example, we could create a role like:

{
  "name": "myteam.myproject.production"
  // add some boolean to toggle this behavior
  "role_name_as_entity_name": true
  "bound_claims": {
    "project_path": "myteam/myproject"
    "ref_protected": "true",
    "environment": "production",
    "environment_protected": "true"
  }
}

Then an Identity:

{
  "name": "gitlab--myteam-myproject--prod"
}

And an alias:

{
   "name":  "myteam.myproject.production",
   "canonical_id": "id-of-entity",
   "mount_accessor": "accessor-of-jwt-backend"
}

At this point, users are free to create internal groups (with the entity above as a member) in their namespaces with whatever policies they need. The auth mount can live in the root namespace, have access to any number of children, and we don't have to mount an auth backend per-namespace anymore.
@hsimon-hashicorp hsimon-hashicorp added the enhancement New feature or request label Oct 27, 2022
@mbillow mbillow linked a pull request Mar 26, 2023 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow for role name to be used as entity alias mbillow/vault-plugin-auth-jwt
2 participants
@mbillow @hsimon-hashicorp