Comments (14)
I was thinking along the lines of I'd rather support one or the other but not both. When we target 0.6, just using response wrapping would really simplify client implementations because it would be a standard API.
I'd rather not support both at this time just because that would increase the complexity of the project, especially considering we don't have proper integration tests yet. If @chill would like to tackle it, I would gladly accept a PR that dropped the old code (and dropped support for Vault 0.5), rather trying to support both. I'd imagine in 1-2 months everyone would be on the response wrapping API and I wouldn't want people to depend on that code if it'll end up neglected.
from vault-gatekeeper.
I'm planning to close this issue once I cut a new release. I'd like to get come tests up and running (working in the travis branch) before making a new release which should be done this week.
from vault-gatekeeper.
Yes, the client side of the request now uses Response Wrapping which was introduced in Vault 0.6.
The only change you must make is to the vault backend, which is now written to the /response
path.
curl -L \
-H "X-Vault-Token: $VAULT_TEMP_TOKEN" \
-X GET "https://$VAULT_ADDR/v1/cubbyhole/response"
The format of the response has changed as well.
from vault-gatekeeper.
Supporting both would be awesome (at least for a while).
I just got this working with 5, lol.
On a side note, well done @ChannelMeter .
from vault-gatekeeper.
@siddharthist I had this same question; reading through the vault docs, vault-gatekeeper-mesos will still work with vault 0.6, as the cubbyhole endpoint still exists and still functions in the way required by vault-gatekeeper-mesos, since vault 0.5.
Despite this, it would be nice to use response wrapping, as then you get the full original vault secret back, including TTL, etc. That would save vault-gatekeeper-mesos having to write those things out into the cubbyhole itself, which it currently doesn't do anyway, but would be useful.
from vault-gatekeeper.
I was made aware of the response wrapping quite some time ago - AFAICT, response wrapping is a formal "correct" way to handle cubbyhole auth, but is still just syntax sugar. The current method should still work with Vault 0.6, and we may want to keep doing it our way to support older vault versions for the time being.
If we ever switch to response-wrapping it will include a notice that we would be dropping support for Vault <0.6
from vault-gatekeeper.
@nemothekid Is there a reason not to have both?
from vault-gatekeeper.
@siddharthist @nemothekid I'm happy to / would like to build a PR to allow both, if you're interested
If a bool was added to the /token request json to indicate whether the requester wanted response wrapping to be used, older clients wouldn't have to worry about upgrading because the field in the struct that the request json gets deserialised to would just remain false.
from vault-gatekeeper.
@nemothekid We were looking at integrating vgm with Mantl.io and we're already familiar with the new response wrapping API is especially why I ask.
@chill That sounds awesome 👍
from vault-gatekeeper.
Happy to do so
from vault-gatekeeper.
@nemothekid How's that going? Did you identify any issues in your testing I could try and help out with?
from vault-gatekeeper.
Version v0.5.2 now works exclusively with wrapped responses (so only version 0.6.0 of Vault and greater).
from vault-gatekeeper.
Nimi, I just upgraded my deployments to Vault 6.0 and VGM 0.5.2. I'm no longer getting my perm token returned for some reason.
I pass this and successfully receive a temp token still:
VAULT_TEMP_TOKEN="`curl -s -L \
-H 'Content-Type: application/json' \
-X POST \
-d '{ "task_id":"'$MESOS_TASK_ID'" }' \
"https://$VGM_ADDR/token"`"
Then I use that temp token to try and get the perm token
curl -L \
-H "X-Vault-Token: $VAULT_TEMP_TOKEN" \
-X GET "https://$VAULT_ADDR/v1/cubbyhole/vault-token"
But since the upgrade, getting Permission Denied. Does anything change on the client side in terms of the curl request?
I am still wrapping my head around response wrapping (no pun intended) so I apologize if this is a user error.
from vault-gatekeeper.
The documentation in the README in the root of the project suggests that VGM doesn't use response wrapping: "[VGM will] request the creation of 2 tokens (temp and perm). The temp token, which can only be used twice, will be first used by Vault internally to write the perm token into it's own Cubbyhole at the path response. This temp token is then provided to the service which can use that token to retrieve the perm token."
Might be good to update the README accordingly?
(I'm assuming that the protected service can now use "https://$VAULT_ADDR/v1/sys/wrapping/unwrap" rather than "https://$VAULT_ADDR/v1/cubbyhole/response" to unwrap the token?)
from vault-gatekeeper.
Related Issues (20)
- Adding image id for verification of task being launched HOT 1
- Enhancement request: Support dynamic policy names HOT 1
- New Release tag? HOT 7
- Enhancement request: Allow tokens to be non-renewable
- Fix for renewable configurable policy addition with nested policies HOT 1
- Travis tests failing
- Enhancement request: Support for AppRole Auth Method HOT 1
- Unclear roles pattern matching HOT 6
- --vault-kv-version not applied HOT 2
- Token renewal should be retried on failure HOT 2
- Policy Struct changed HOT 2
- Question on building/installing gatekeeper-cli HOT 2
- namespace support? HOT 2
- Not working with VaultServer
- Unseal failed with the 'approle' method.
- {"unsealed":true,"error":"The role requested does not exist."} HOT 3
- Mesos 1.8+ no longer supports the state.json endpoint HOT 2
- Support wildcard inside task name or a more robust (regexp?) matching HOT 3
- Unseal fails with self-signed cert HOT 3
- Only the first AppRole on the roles list is used for authentication HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-gatekeeper.