Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set a token CIDR based on SecretId CIDR rather than specifying it at appRole creation #5034

Closed
far-blue opened this issue Aug 2, 2018 · 4 comments
Closed

Set a token CIDR based on SecretId CIDR rather than specifying it at appRole creation #5034

far-blue opened this issue Aug 2, 2018 · 4 comments

Comments

@far-blue
Copy link

far-blue commented Aug 2, 2018

At the moment we have a AppRoles for each of our deployed apps and these apps deploy over clusters with known IP ranges so we limit the AppRole to the appropriate range. We also generate a SecretId for each deploy of our app and for each node in the cluster for the app - so a SecretId generated for nodeA can't be used on nodeB. However, tokens generated by auth'ing with the SecretId value for a particular node generates a token that is not restricted. The only option to restrict the token is by setting token CIDR ranges on the AppRole so the best we can achieve is to limit a token to a cluster rather than a node.

It would be great if we could specify when creating the AppRole that the token's CIDR range(s) should inherit from the SecretId used to auth and generate the token rather than using a fixed config at the point of defining the AppRole. This would allow us to create tokens limited to a specific node.

We have considered creating AppRoles for each combination of App and Node but this results in five times the number of AppRoles to manage.

Thanks,
jefferai added a commit that referenced this issue Aug 17, 2018
@jefferai
Add the ability to specify token CIDR restrictions on secret IDs.
db67e4e 
Fixes #5034
@jefferai jefferai mentioned this issue Aug 17, 2018
Merged
jefferai added a commit that referenced this issue Aug 21, 2018
@jefferai
Add the ability to specify token CIDR restrictions on secret IDs. (#5136
fe30972 
)

Fixes #5034
@jefferai
Copy link
Member

This is now implemented -- you can specify a CIDR at secret-id generation time which must be a subset of the cidrs configured on the role (if any). This matches our normal workflow of allowing you to be more specific than a role, but not escape what the role has set. I believe it should solve this use case though as you can set the role value to something more broad that covers all needs (or just not set it at all and allow any value set on the secret ID) and then scope it very specifically when the secret ID is generated.

@far-blue
Copy link
Author

While it is now possible to limit a secret is to a subset of the app role cidr, this doesn’t carry over to tokens created by authenticating with the app ID and secret ID. As such, a token extracted from a node using a cidr restricted secret ID can be used anywhere.

@jefferai
Copy link
Member

@far-blue Are you using the patch from the PR above in this testing?

@far-blue
Copy link
Author

Sorry, I was reading via a mobile while on holiday and misunderstood :) Great news the feature is in the 0.11.0 release and now I'm back at work we'll upgrade and test things out. Thank you :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jefferai @far-blue