Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adapt to changed AppRole authentication modes in Spring Vault #174

Closed
mp911de opened this issue Oct 25, 2017 · 6 comments
Milestone

Comments

@mp911de
Copy link
Member

@mp911de mp911de commented Oct 25, 2017

Allow configuration of:

RoleId:

  • Provided (push)
  • Pull
  • Wrapped (cubbyhole)

SecretId:

  • Provided (push)
  • Pull
  • Wrapped (cubbyhole)
  • Absent
@mp911de mp911de added this to the 2.0.0 RC1 milestone Nov 14, 2017
@vrudikov

This comment has been minimized.

Copy link

@vrudikov vrudikov commented Nov 15, 2017

Hi! Is this a complex task? How much time it's gonna take? Do you need any help?

@mp911de

This comment has been minimized.

Copy link
Member Author

@mp911de mp911de commented Nov 15, 2017

Thanks for asking. The main effort lies in modeling how the configuration makes the most sense. From my perspective it could make sense to keep roleId and secretId in sync. Usually, you wouldn't use pull mode for roleId and cubbyhole for secretId but either both using pull mode or cubbyhole. Not quite sure how to mix pull/cubbyhole for roleId with an absent secretId but maybe we don't need to support that in the first version so we can come back to this at a later point.

@mp911de

This comment has been minimized.

Copy link
Member Author

@mp911de mp911de commented Feb 6, 2018

Mapping out all possibilities requires a quite complex arrangement of configuration properties, alternatively keyword checking for roleId/secretId properties. By introducing a single new property (spring.cloud.vault.app-role.role for the role name) allows the following configuration combinations:

Configuration

Method RoleId SecretId RoleName Token
Provided RoleId/SecretId Provided Provided
Provided RoleId without SecretId Provided
Provided RoleId, Pull SecretId Provided Provided Provided Provided
Pull RoleId, provided SecretId Provided Provided Provided
Full pull mode Provided Provided
Wrapped Provided
Wrapped RoleId, provided SecretId Provided Provided
Provided RoleId, wrapped SecretId Provided Provided

Scenarios

RoleId SecretId
Provided Provided
Provided Pull
Provided Wrapped
Provided Absent
Pull Provided
Pull Pull
Pull Wrapped
Pull Absent
Wrapped Provided
Wrapped Pull
Wrapped Wrapped
Wrapped Absent
@vrudikov

This comment has been minimized.

Copy link

@vrudikov vrudikov commented Feb 6, 2018

@mp911de Awesome job! Thank you

@vrudikov

This comment has been minimized.

Copy link

@vrudikov vrudikov commented Feb 6, 2018

When it's gonna be available in public repos?

@mp911de

This comment has been minimized.

Copy link
Member Author

@mp911de mp911de commented Feb 6, 2018

Snapshots are already available, see spring-cloud/spring-cloud-release for the full release schedule.

nwarnke pushed a commit to nwarnke/spring-cloud-vault that referenced this issue Feb 27, 2019
httpcore 4.4.7 -> 4.4.8
netty 4.1.16.Final -> 4.1.17.Final
Jackson 2.9.1 -> 2.9.2
Spring Data Kay GA -> Kay SR1
Reactor Bismuth GA -> Bismuth SR3

Closes spring-cloudgh-174
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.