Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[WFCORE-4484] Support SSH Authentication for Git persistence
- Loading branch information
1 parent
f566cbe
commit ad308c9
Showing
1 changed file
with
134 additions
and
0 deletions.
There are no files selected for viewing
134 changes: 134 additions & 0 deletions
134
elytron/WFCORE-4484-ssh-authentication-git-persistence.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
= [WFCORE-4484] Support SSH authentication for Git persistence | ||
:author: Ashley Abdel-Sayed | ||
:email: aabdelsa@redhat.com | ||
:toc: left | ||
:icons: font | ||
:idprefix: | ||
:idseparator: - | ||
|
||
== Overview | ||
|
||
When using a Git repository to manage your WildFly configuration file history, it is possible to use an Elytron | ||
configuration file for authentication. However, it is currently only possible to specify credentials to authenticate | ||
with HTTP, not SSH, even though Git supports SSH authentication. This proposal is to add support for SSH authentication | ||
for Git persistence using an Elytron configuration file. | ||
|
||
The option will be added for users to specify the location, filename, and passcode to an existing SSH private key to use | ||
as credentials for SSH authentication. | ||
|
||
The option will also be added to specify the keys to be used for authentication as KeyPairCredentials. This will mean | ||
supporting specifying KeyPairCredentials in an Elytron configuration file as a credential or as a reference to an entry in | ||
a CredentialStore. This will require modifying the KeyPairCredential to accept the OpenSSH public and private key formats. | ||
The KeyPairCredential type will also support the RSA, DSA, ECDSA, and EDDSA algorithms. The user should then be able to | ||
configure their WildFly standalone server to connect to a Git repo and authenticate with SSH to manage their configuration | ||
file history. | ||
|
||
== Issue Metadata | ||
|
||
=== Issue | ||
|
||
* https://issues.jboss.org/browse/WFCORE-4484[WFCORE-4484] | ||
|
||
=== Related Issues | ||
|
||
* https://issues.jboss.org/browse/EAP7-1213[EAP7-1213] | ||
* https://issues.jboss.org/browse/WFLY-12574[WFLY-12574] | ||
* https://issues.jboss.org/browse/ELY-1879[ELY-1879] | ||
|
||
=== Dev Contacts | ||
|
||
* mailto:{email}[{author}] | ||
|
||
=== QE Contacts | ||
TBD | ||
|
||
=== Testing By | ||
// Put an x in the relevant field to indicate if testing will be done by Engineering or QE. | ||
// Discuss with QE during the Kickoff state to decide this | ||
[ ] Engineering | ||
|
||
[ ] QE | ||
|
||
=== Affected Projects or Components | ||
|
||
=== Other Interested Projects | ||
|
||
== Requirements | ||
|
||
=== Hard Requirements | ||
|
||
==== JGit/SSHD | ||
* It should be possible to connect to a remote git repo and authenticate with SSH to manage the Git configuration file history. | ||
This will be done using the Apache Mina SSHD session factory supported by JGit | ||
|
||
==== Elytron Tool | ||
|
||
The following commands will be added to the Elytron tool | ||
|
||
* `--generate-key-pair` - this will generate a private and public key pair and store them in a credential store. It will | ||
have the following options: | ||
** `--algorithm` - mandatory, indicates the algorithm to be used to generate the keys: RSA, DSA, ECDSA, or EDDSA | ||
** `--size` - the size of the key, only specified for RSA algorithm, by default is 2048 for RSA (the size is always 1024 | ||
for DSA) | ||
** `--passphrase` - an optional passphrase to be used to encode the key | ||
** `--alias` - the alias to store the key under | ||
|
||
* `--import-key-pair` - this will import a private key and store it in a credential stores. It will have the following | ||
options: | ||
** `--public-key` - the private key to import as a String, mandatory if `--public-key-location` is not defined | ||
** `--private-key` - the private key to import as a String, mandatory if `--private-key-location` is not defined | ||
** `--public-key-location` - the path to and identity of the key (eg. ~/.ssh/id_rsa), mandatory if `--public-key` is not defined | ||
** `--private-key-location` - the path to and identity of the key (eg. ~/.ssh/id_rsa.pub), mandatory if `--private-key` is not defined | ||
** `--passphrase` - an optional passphrase used to encode the private key | ||
** `--algorithm` - the algorithm used to generate the keys | ||
** `--alias` - the alias to store the KeyPair under | ||
|
||
* `--export-public-key` - this will return a single Base64 value which is the public key in it’s encoded form. It will | ||
have the following options: | ||
** `--alias` - the alias the KeyPair is stored under | ||
|
||
* `--export-private-key` - this will return a single Base64 value which is the private key in it’s encoded form. It will | ||
have the following options: | ||
** `--alias` - the alias the KeyPair is stored under | ||
|
||
==== Elytron XML File | ||
|
||
* It should be possible to specify SSH credentials to be used for authentication in the Elytron XML configuration file | ||
** There should be the option to specify the existing `key-pair` credential type but with the added option of specifying | ||
keys in the new OpenSSH format | ||
** There should be the option to reference a KeyPairCredential stored in a CredentialStore | ||
** It should be possible to specify the location and identity of a private key (eg. ~/.ssh/id_rsa). The user should also | ||
be able to specify the passphrase used to encode the key. | ||
|
||
=== Nice-to-Have Requirements | ||
|
||
=== Non-Requirements | ||
|
||
== Test Plan | ||
|
||
==== JGit/SSHD | ||
|
||
* Tests will be added to the WildFly-Core testsuite to test SSH authentication when connecting to a Git repository | ||
** Tests will be added to test successful authentication when specifying the location, name, and passphrase to the file | ||
containing a private key | ||
** Tests will be added to test successful authentication using a KeyPairCredential with all supported algorithm types | ||
|
||
==== Elytron Tool | ||
|
||
* Tests will be added to the Elytron testsuite to test generating and importing a KeyPairCredential succesfully into | ||
a CredentialStore with all supported algorithms | ||
|
||
==== Elytron XML File | ||
* Tests will be added to the Elytron testsuite to test parsing an SSH credential specified as a location, name and passphrase | ||
of a file | ||
* Tests will be added to test parsing of a `key-pair` credential type in the OpenSSH format for all supported algorithms | ||
|
||
== Community Documentation | ||
|
||
* Documentation will be added to https://github.com/wildfly/wildfly/blob/master/docs/src/main/asciidoc/_admin-guide/management-tasks/Configuration_file_git_history.adoc[Git Configuration File History] | ||
under a new section SSH Authentication detailing how to configure SSH authentication with the different possible credential | ||
configurations. | ||
* Documentation will be added to https://github.com/wildfly/wildfly/blob/master/docs/src/main/asciidoc/_elytron/Credential_Store.adoc[Credential Store] | ||
to describe the new options to generate and import KeyPairCredentials | ||
* Documentation will be added to https://github.com/wildfly/wildfly/blob/master/docs/src/main/asciidoc/_elytron/Client_Authentication_with_Elytron_Client.adoc[Client Authentication with Elytron Client] | ||
to describe the changes to the KeyPairCredential and the new option to specify a private keys location as a credential. |