support cidr restrictions for userpass auth

[cburroughs]

I'd also like to support cidr restrictions for userpass auth. Examples:

• Corp network binds employees workstation IP to a known value, employee X password should not work from employee Y's workstation.
• Database X credentials should not be accessed from datacenter Y
• Only auth to service X from a bastion, so only the bastion needs the credentials.

I'm aware that this is an "in depth" approach and not foolproof. #815 is very similar (for tokens) but I didn't see anything specifically for userpass

[jefferai]

I think this is a totally fine request but will probably end up waiting until we support X-Real-IP and or other similar methods of trying to identify the correct IP address. But, if someone picks it up before then, I'll be happy to work with them on getting it integrated.

[v6]

// , @cburroughs , would I really need to use this if I already had https://www.vaultproject.io/docs/auth/cert.html ?

That is, if I already have https://www.vaultproject.io/docs/auth/cert.html, would it be worth adding CIDR based restrictions to my user/pass auth?

[v6]

// , Also, why doesn't Vault have a more generic use of CIDR restrictions? That is, if you can CIDR restrict one thing, why can't you CIDR restrict another?

[tyrannosaurus-becks]

@cburroughs - I just merged in this capability, FYI!

[v6]

// , Can I get a quick link to the PR

[tyrannosaurus-becks]

@v6 #4557