Secrets providers API, initial TextFile and EnvironmentVariable provider implementations #887
Conversation
…y-plugin Constant provider, add tests
…stead of python entry_points
Good catch! Probably on the last N iterations of working on this I was just working with existing secrets and forgot to test the new-secret flow with the latest code. Will fix. |
|
Presumably this is in support of #541, which did initially state that:
In support of the highlighted "device credentials", I was expecting there would be some kind of context and/or accommodations for devices, where a given device would be presented as a configurable parameter as |
The current idea is that rather than having a dynamic parameter in the Secret definition itself, we will provide the ability to associate a specific Secret with a single device or a set of devices (using the config-context pattern). This does mean that if you have a different set of credentials for each device, you will need to create a distinct Secret record per device (rather than a single Secret definition that somehow resolves to a different secret value per device), but in the (hopefully more common) case where you have a shared service account for a whole group of devices, you will be able to create a single Secret and share it across that set of devices. Does this adequately address your concern? |
|
You are addressing the more common, however, there is certainly examples of per device, I actually had a customer today tell us that the there is a new requirement for the user/pass to be per device. I am not a fan of the config-context pattern, as is a bit of magic that will not be obvious to users. I also think that with the |
|
Good points, thanks Ken. We should discuss this some more. Need to make sure that any solution we come up with isn't too tightly coupled with Devices specifically (as that was a key shortcoming of the old feature). I'm also hesitant about the usability/painfulness of potentially needing something like a mixture of Jinja2 templating with JSON if we need to have dynamic parameters to the lookup. |
|
Merging this into the |
… Groups (#868) * Initial model, UI, and REST API for Secrets * Secrets providers API, initial TextFile and EnvironmentVariable provider implementations (#887) * Add Secret.value property, add EnvironmentVariable provider, add dummy-plugin Constant provider, add tests * Add TextFileSecretProvider * Add docs * Improve display of secret providers in the UI * Refactor SecretsProvider registration to use the Nautobot registry instead of python entry_points * Refactor slightly * Add ability for secrets providers to define an HTML form for parameter inputs * Fix default value for JSONField and add error handling in JS * Add username_secret and token_secret support to GitRepository * Docs updates * Review feedback - add description field, etc. * Revise secrets docs; add SecretError exceptions instead of returning None on various failures * One of these days I'll remember to run flake8 before pushing * Review comments * SecretsGroup feature (#1042) * WIP * More WIP * WIP remove SecretType model * Such WIP. Wow * WIP: working secretsgroup-edit UI * More WIP * Change Category/Meaning to Access Type/Secret Type * Add SecretsGroup key to Device model; get tests passing * Add test coverage for REST API and filters * Add SecretsGroup view tests * Linting fixes * Docs updates * Cleanup leftover SecretType cruft * Update nautobot/docs/user-guides/git-data-source.md Co-authored-by: Jathan McCollum <jathan@gmail.com> * Fix egregious issues Co-authored-by: Jathan McCollum <jathan@gmail.com> * Support Jinja2 templating of secret parameters (#1058) * Support Jinja2 templating of secret parameters * Add secrets providers to plugin detail view * Doc updates * Include SecretsGroupAssociation in GraphQL * Move 'Secrets' to a top-level menu * Don't try to sort `SecretsProvider` class objects in plugin config features registry (#1065) * Fix TypeError when trying to sort `SecretsProvider` class objects * Don't sort `secrets_providers` when added to features. * Add release-note content for Secrets * Update nautobot/extras/views.py Co-authored-by: John Anderson <lampwins@gmail.com> * Change FK to SecretsGroup behavior to SET_NULL * Use render_jinja2() in rendered_parameters() Co-authored-by: Jathan McCollum <jathan@gmail.com> Co-authored-by: John Anderson <lampwins@gmail.com>
Fixes: #
SecretclassSecretsProviderabstract base class defining the interface for retrieving a specific secret from a specific secrets providerEnvironmentVariableSecretsProviderandTextFileSecretsProviderconcrete implementationsSecret.valueproperty now retrieves the value from the specifiedSecretsProviderwith the specifiedparametersSecretsProvidersubclassesConstantValueSecretsProviderSecretsProviderclasses can now provide aParametersFormthat will be displayed as an alternative to the JSON text fieldParametersFormwhen selecting or changing providersTODO:
EnvironmentVariableSecretsProviderandTextFileSecretsProviderto reduce potential security risks of allowing a user to access environment variables or filesystem files that they shouldn't actually be permitted to access.