Support Vault entity aliases

[lgfa29]

This PR adds support for deriving task tokens using an entity alias. This allows operators to better control the identity of the dynamic tokens that Nomad generates, which provide better control on billing and audit log parsing.

The entity alias can be set in the job and also a default value in the server configuration. If the server has a default alias, it will be used for tasks that don't define one.

In order to facilitate development, this PR starts by refactoring some of the Vault client internals. It may be easier to review this per commit.

To test this, you can use this script that will spin-up a Vault and Nomad agent preconfigured to support entity aliases.

Sample script run

$ ./demo.sh
==> Starting Vault...
Success! Uploaded policy: nomad-server
Success! Data written to: auth/token/roles/nomad-cluster
Success! Uploaded policy: app
Success! Data written to: auth/token/roles/nomad-user
Success! Data written to: auth/token/roles/nomad-user-not-allowed

You can use the following tokens to test job submission in different
scenarios:
    Token allowed:      s.cj1a6S4sOkvQOSy4cBBLQocu
    Token not allowed:  s.wjAie9VT0oWrrqPt4B1maty4
    Token without role: s.6UmUiXMNVMzIDJbJvjG6PjRs

==> Starting Nomad...

You can now run these two jobs, picking a token from the list above:
    Job that only runs if the token allows:
         $ VAULT_TOKEN=<TOKEN> nomad run demo/example.nomad

    Job that will never run because it uses an entity alias that the Nomad
    server can't access:
        $ VAULT_TOKEN=root nomad run demo/example-not-allowed.nomad

The first job has two tasks, but only one of them uses entity alias. You
can check the tokens information by running:
    $ ./demo.sh token-info

$ VAULT_TOKEN=s.cj1a6S4sOkvQOSy4cBBLQocu nomad run demo/example.nomad
==> 2022-04-04T14:16:53-04:00: Monitoring evaluation "289f0db0"
    2022-04-04T14:16:53-04:00: Evaluation triggered by job "example"
    2022-04-04T14:16:53-04:00: Allocation "91bfc88f" created: node "764ff4e9", group "app"
==> 2022-04-04T14:16:54-04:00: Monitoring evaluation "289f0db0"
    2022-04-04T14:16:54-04:00: Evaluation within deployment: "0aa0cb7a"
    2022-04-04T14:16:54-04:00: Allocation "91bfc88f" status changed: "pending" -> "running" (Tasks are running)
    2022-04-04T14:16:54-04:00: Evaluation status changed: "pending" -> "complete"
==> 2022-04-04T14:16:54-04:00: Evaluation "289f0db0" finished with status "complete"
==> 2022-04-04T14:16:54-04:00: Monitoring deployment "0aa0cb7a"
  ✓ Deployment "0aa0cb7a" successful

    2022-04-04T14:17:05-04:00
    ID          = 0aa0cb7a
    Job ID      = example
    Job Version = 0
    Status      = successful
    Description = Deployment completed successfully

    Deployed
    Task Group  Desired  Placed  Healthy  Unhealthy  Progress Deadline
    app         1        1       1        0          2022-04-04T14:27:03-04:00

$ ./demo.sh token-info
==> Token with entity
Key                  Value
---                  -----
accessor             uBPEG7WDciZxPXVKTWqYGTGY
creation_time        1649096213
creation_ttl         72h
display_name         token-91bfc88f-9c23-cf7b-52db-00334bf4be40-with-entity
entity_id            f9ac27cf-1135-435e-2401-6d617d0803d2
expire_time          2022-04-07T14:16:53.132469-04:00
explicit_max_ttl     0s
id                   s.ji1RGPmyHPVTmfY0757khESE
issue_time           2022-04-04T14:16:53.12894-04:00
last_renewal         2022-04-04T14:16:53.132469-04:00
last_renewal_time    1649096213
meta                 map[AllocationID:91bfc88f-9c23-cf7b-52db-00334bf4be40 JobID:example Namespace: NodeID:764ff4e9-fe78-0789-403b-967c22f241a4 Task:with_entity TaskGroup:app]
num_uses             0
orphan               true
path                 auth/token/create/nomad-cluster
policies             [app default]
renewable            true
role                 nomad-cluster
ttl                  71h59m41s
type                 service

==> Token without entity
Key                  Value
---                  -----
accessor             AGpy7Dz7O0gM67sIQbRNYdK4
creation_time        1649096213
creation_ttl         72h
display_name         token-91bfc88f-9c23-cf7b-52db-00334bf4be40-without-entity
entity_id            n/a
expire_time          2022-04-07T14:16:53.131276-04:00
explicit_max_ttl     0s
id                   s.5yLAUMknIAz62nlBjQoWYecg
issue_time           2022-04-04T14:16:53.124201-04:00
last_renewal         2022-04-04T14:16:53.131276-04:00
last_renewal_time    1649096213
meta                 map[AllocationID:91bfc88f-9c23-cf7b-52db-00334bf4be40 JobID:example Namespace: NodeID:764ff4e9-fe78-0789-403b-967c22f241a4 Task:without_entity TaskGroup:app]
num_uses             0
orphan               true
path                 auth/token/create/nomad-cluster
policies             [app default]
renewable            true
role                 nomad-cluster
ttl                  71h59m41s
type                 service

Notice how only one token as entity_id. Uncommenting line 218 of the script would use a default entity alias for the second token.

[mikenomitch]

+1 from me on the UX!

[shoenig]

This is great @lgfa29! Just the usual suggestions ~

[shoenig]

neato, was gonna comment about iteration order but this gets around that!

[lgfa29]

Yup! It's a handy function, the problem is that I keep forgetting how it's called 😅

[shoenig]

nice refactoring! in the long term I'd like to get these all into the admissions controller plumbing

nomad/nomad/job_endpoint_hooks.go

Line 53 in 69dc22b

func (j *Job) admissionControllers(job *structs.Job) (out *structs.Job, warnings []error, err error) {

#7020

[lgfa29]

Nice! Since there are a few refactorings going on already, I may as well do this now 🙂

[lgfa29]

@shoenig moved to admission controller in this commit: fb6a65f

I skipped unit tests because the Job registration tests were already covering them in general. But we may want to move them in the future.

[shoenig]

For the entity alias validation, can we move this chunk into a helper method? similar to multiVaultNamespaceValidation above.

[shoenig]

This is implied from the summary above, but an explicit comment here saying:

"// Assign the default entity alias to any vault block with no entity alias already set"

would be helpful

[shoenig]

trying to make it more succinct

For tasks to receive tokens associated with a Vault entity, the role must include a list of
allowed_entity_aliases indicating the entity aliases allowed for use. This field supports
globbing to cover multiple entity aliases.

also is there vault docs to link to for the globbing rules?

[lgfa29]

Thanks!

The most comprehensive doc I found for globbing was this: https://www.vaultproject.io/docs/concepts/policies#policy-syntax

But I don't know if it applies to allowed_entity_aliases so I kept it kind of vague 😅

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.