castellan

vault: add support for AppRole authentication

Bug #1796851 reported by James Page on 2018-10-09

This bug affects 1 person

	Status	Importance	Assigned to
castellan	Fix Released	Undecided	James Page
barbican (Ubuntu)	Fix Released	Medium	James Page
python-castellan (Ubuntu)	Fix Released	Medium	James Page

Bug Description

Vault provides a nice way for applications to integrate with its API:

https://www.vaultproject.io/docs/auth/approle.html

As the authentication method has two components (role_id and secret_id) is easy to automate distribution of credentials by providing the role_id but response wrapping the secret_id with access via a one shot, IP address restricted token.

It would be nice is castellan and barbican supported this approach.

Revision history for this message

James Page (james-page) wrote on 2018-10-09:

Raised for barbican here:

https://storyboard.openstack.org/#!/story/2004017

Revision history for this message

James Page (james-page) wrote on 2018-10-10:

Review:

https://review.openstack.org/#/c/609332

Changed in castellan:
status:	New → In Progress
assignee:	nobody → James Page (james-page)
Changed in python-castellan (Ubuntu):
status:	New → Triaged
importance:	Undecided → Medium
Changed in barbican (Ubuntu):
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

James Page (james-page) wrote on 2018-10-11:

Test packages with patches in:

https://launchpad.net/~james-page/+archive/ubuntu/vault-production

I've verified these within a Rocky deployment; secrets where stored correctly in the configured backend (charm-barbican) rather than the default 'secret' backend.

Revision history for this message

James Page (james-page) wrote on 2018-10-11:

(also using an approle role_id and secret_id)

Changed in barbican (Ubuntu):
assignee:	nobody → James Page (james-page)
Changed in python-castellan (Ubuntu):
assignee:	nobody → James Page (james-page)

Revision history for this message

James Page (james-page) wrote on 2018-10-11:

FFe details
===========

1) builds:

See PPA - https://launchpad.net/~james-page/+archive/ubuntu/vault-production

2) installs and upgrades:

Existing packages deployed and then upgraded to PPA built packages OK

3) does not break packages which depend on it, or that corresponding updates have been prepared.

Barbican and castellan covered under same bug, changes implemented in a backwards compatible way (they don't change the existing function).

4) Verification

Barbican configured with approle based authentication and a non-default KV mountpoint using proposed packages, secrets correct stored and retrieved using Vault via the Barbican API.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-10-11:

This bug was fixed in the package python-castellan - 0.19.0-0ubuntu2

---------------
python-castellan (0.19.0-0ubuntu2) cosmic; urgency=medium

  * d/p/0001-Fix-Vault-K-V-API-compatibility.patchi,
        0002-Add-method-to-wrap-HashiCorp-Vault-HTTP-API-calls.patch:
    Resolve issues with compatibility with Vault 0.10.0 where the KV engine
    is versioned by default (LP: #1788375).
  * d/p/0003-vault-add-AppRole-support.patch: Add support for Vault
    AppRole authentication (LP: #1796851).
  * d/p/0004-vault-support-configuration-of-KV-mountpoint.patch: Add support
    for configuration of the KV mountpoint to use in Vault (LP: #1797148).

-- James Page <email address hidden> Thu, 11 Oct 2018 12:21:17 +0100

Changed in python-castellan (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-10-11:

This bug was fixed in the package barbican - 1:7.0.0-0ubuntu2

---------------
barbican (1:7.0.0-0ubuntu2) cosmic; urgency=medium

  * d/p/0001-Enable-AppRole-authentication-support-for-Vault.patch:
    Add support for Vault AppRole authentication (LP: #1796851).
  * d/p/0002-Enable-KV-mountpoint-configuration-for-Vault.patch:
    Add support for configuration of the KV mountpoint to use in Vault
    (LP: #1797148).
  * d/control: Bump minimum python{3}-castellan version to 0.19.0-0ubuntu2~
    to pickup associated Vault fixes in lower layers.

-- James Page <email address hidden> Thu, 11 Oct 2018 12:21:54 +0100

Changed in barbican (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-23: Fix merged to castellan (master)

Reviewed: https://review.openstack.org/609332
Committed: https://git.openstack.org/cgit/openstack/castellan/commit/?id=bc7f7a4c361791727e23dab82a8abe7351483ef8
Submitter: Zuul
Branch: master

commit bc7f7a4c361791727e23dab82a8abe7351483ef8
Author: James Page <email address hidden>
Date: Wed Oct 10 10:07:11 2018 +0100

vault: add AppRole support

    Add support for use of AppRole's for authentication to Vault; this
    feature provides a more application centric approach to managing
    long term access to Vault.

The functional tests exercise this integration with a restricted
policy which only allows access to the default 'secret' backend.

Change-Id: I59dfe31adb72712c53d49f66d9ac894e43e8bbad
Closes-Bug: 1796851

Changed in castellan:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-18: Fix included in openstack/castellan 1.2.0

This issue was fixed in the openstack/castellan 1.2.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.