[Database Plugin] Impossible to return keytab checksum as password in v5 #12492
Labels
Comments
|
This is not an auth-plugin, but a db-plugin |
|
This is also a serious issue for creating an InfluxDB v2 plugin. It does have the concept of user accounts, but the actual authentication information that needs to be returned is in the form of a token generated by the server. It cannot be set explicitly by the caller. Related: #14035 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
We developed our own database plugin for managing kerberos keytab creations for users, services and machines in our environment.
Under v4 plugin we were able to return the keytab to a user calling
creds/kerberos/roleand store it in a vault path. Making this calls idempotent (a user was able to ask several times about the password of single kerberos user)Under v5 each time a user requests a principal we manage the creation of the keytab, but we are unable to provide the answer to the API for it to return it to the user.
This leads to random useless passwords generated and printed for users in the output, while the real keytab is never returned.
To Reproduce
We create credentials:
vkli[11366] - vault.keos-core > vault read /kerberos-eos/creds/6aa6f4bf23150e42d25bd4289c9acc44d68872c52b5470f87ee390a7482dee99 { "request_id": "d2fa1872-c196-3638-dbfe-5bd3d46cb0e8", "lease_id": "kerberos-eos/creds/6aa6f4bf23150e42d25bd4289c9acc44d68872c52b5470f87ee390a7482dee99/FORp9ljs311auk67eleOrHVO", "lease_duration": 1577880000, "renewable": true, "data": { "password": "Ocb-Jj9c7QOLAidgqHNM", "username": "marcotest" }, "warnings": null }This are the credentials generated in the first call, that are stored within vault on an specific path. As seen the password (which is marcotest_keytab) does not match.
vkli[11366] - vault.keos-core > vault read /secret/6aa6f4bf23150e42d25bd4289c9acc44d68872c52b5470f87ee390a7482dee99 { "request_id": "e3929eb7-e846-286d-883a-ca0704db31a4", "lease_id": "", "lease_duration": 2764800, "renewable": false, "data": { "marcotest_keytab": "BQIAAABTAAEAE1ZBR1JBTlQtQ0xVU1RFUi5JTlQACW1hcmNvdGVzdAAAAAFhMeKyAgASACB/ROVBoz55ireczp99Yq/kRQLtqe44lnwI3nqpOwlJTwAAAAIAAABDAAEAE1ZBR1JBTlQtQ0xVU1RFUi5JTlQACW1hcmNvdGVzdAAAAAFhMeKyAgARABDTY/uLebmaNx70fMkYIfTJAAAAAgAAAEMAAQATVkFHUkFOVC1DTFVTVEVSLklOVAAJbWFyY290ZXN0AAAAAWEx4rICABcAEGs6xHEzAGz/N712M8+TiGcAAAAC", "marcotest_principal": "marcotest" }, "warnings": null }If we make a second call we get a new and different password:
vkli[11366] - vault.keos-core > vault read /kerberos-eos/creds/6aa6f4bf23150e42d25bd4289c9acc44d68872c52b5470f87ee390a7482dee99 { "request_id": "5b3e8a3d-a539-106d-603a-bff00f0649af", "lease_id": "kerberos-eos/creds/6aa6f4bf23150e42d25bd4289c9acc44d68872c52b5470f87ee390a7482dee99/juDR5wjoZGB3ri4uCQPAV3zG", "lease_duration": 1577880000, "renewable": true, "data": { "password": "P-sf-UcgVfhC7cAJfYSx", "username": "marcotest" }, "warnings": null }Expected behavior
I would like to have a way for vault to acknowledge my password and return it, as we already manage inside our dbplugin the retrieval of the password if it is already stored in the vault k-v
Environment:
The text was updated successfully, but these errors were encountered: