Feature request: vault authenticator #88
Comments
|
Interesting idea, could you walk me through how vault works and how tokens/keys are validated at vault? |
|
thats a huge area. Vault does alot...
If you run this you can to use it with a GUI:
https://github.com/Caiyeon/goldfish
Also the site has lots of info.
…--
then there is the Vault main docs.
https://github.com/hashicorp/vault
https://www.vaultproject.io/
- has interactive tutorial.
On Sat, 14 Jul 2018 at 12:44 Aeneas ***@***.***> wrote:
Interesting idea, could you walk me through how vault works and how
tokens/keys are validated at vault?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#88 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ATuCwvQH7C6iTnltA2uu3MZR1P1Rktlgks5uGctxgaJpZM4VP0Bt>
.
|
|
Yes, but it seems to me like it's storing access credentials and gives them out based on other credentials issued by vault, I'm not sure if it also allows verification of the stored access credentials as it is agnostic to them. It would be great if you could go into some detail (maybe particular flows or APIs), this would help a lot in understanding why vault would make sense as an authorization server coupled to oathkeeper. |
|
Yes I think you have a decent idea of what if offers.
Here is why I suggested it:
Oxy provides a gateway but you must have a place to store the enterprise
multi tenant ( iaas level and pass etc) secrets and check them, roll them
and revoke them.
I can not go into all the flows though here. If you want to integrate it
your going to have to do the analysis on the hooks that make sense for oxy.
your are going to have contradictions on the overlap of what each provides.
The other reason I suggested it is because it's very hard to do what vault
does without making a slip up.
Many companies use vault. It's well regarded.
…On Sat, 14 Jul 2018, 14:03 Aeneas, ***@***.***> wrote:
Yes, but it seems to me like it's storing access credentials and gives
them out based on other credentials issued by vault, I'm not sure if it
also allows verification of the stored access credentials as it is agnostic
to them. It would be great if you could go into some detail (maybe
particular flows or APIs), this would help a lot in understanding why vault
would make sense as an authorization server coupled to oathkeeper.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#88 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ATuCwqJLzzaf6hTfgY6effY2GjeVvXo2ks5uGd4FgaJpZM4VP0Bt>
.
|
|
https://news.ycombinator.com/item?id=15284976
Pretty much expresses what I was getting at ..
…On Sat, 14 Jul 2018, 17:15 Ged Wed, ***@***.***> wrote:
Yes I think you have a decent idea of what if offers.
Here is why I suggested it:
Oxy provides a gateway but you must have a place to store the enterprise
multi tenant ( iaas level and pass etc) secrets and check them, roll them
and revoke them.
I can not go into all the flows though here. If you want to integrate it
your going to have to do the analysis on the hooks that make sense for oxy.
your are going to have contradictions on the overlap of what each
provides.
The other reason I suggested it is because it's very hard to do what vault
does without making a slip up.
Many companies use vault. It's well regarded.
On Sat, 14 Jul 2018, 14:03 Aeneas, ***@***.***> wrote:
> Yes, but it seems to me like it's storing access credentials and gives
> them out based on other credentials issued by vault, I'm not sure if it
> also allows verification of the stored access credentials as it is agnostic
> to them. It would be great if you could go into some detail (maybe
> particular flows or APIs), this would help a lot in understanding why vault
> would make sense as an authorization server coupled to oathkeeper.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#88 (comment)>, or mute
> the thread
> <https://github.com/notifications/unsubscribe-auth/ATuCwqJLzzaf6hTfgY6effY2GjeVvXo2ks5uGd4FgaJpZM4VP0Bt>
> .
>
|
I do understand that you can fetch credentials from vault, but those credentials are to be validated at a different endpoint. Typically you would, for example, store an API key in vault, fetch the API key from vault using some credentials, then use that API key at another endpoint. That endpoint validates the API key. This proxy takes, for example, an API key and asks some endpoint if the API key is valid. In this regard, vault does (to my understanding) not play a role. It might be possible to first fetch the key from vault, then use it at Oathkeeper, and Oathkeeper validates it at another endpoint. To Oathkeeper itself however, it doesn't matter at all how the credentials were obtained and thus an integration with vault does not make sense. Let me know if I blatantly misunderstood something, but I don't see how the integration would look like. That is why I asked for specifics on this matter. |
|
I will be frank - I don't really know.
I use vault and it took about 30 minutes to integrate it once in a
Microservice system with consul.
It was easy and worked really well.
I really do wish I knew more but I don't want to lead you astray with
intuitive half truths gained from my 30 minutes.
I will say that what you described sounds about right from when I used it
though.
…On Sat, 14 Jul 2018, 18:33 Aeneas, ***@***.***> wrote:
Oxy provides a gateway but you must have a place to store the enterprise
multi tenant ( iaas level and pass etc) secrets and check them, roll them
and revoke them.
I do understand that you can fetch credentials from vault, but those
credentials are to be validated at a different endpoint. Typically you
would, for example, store an API key in vault, fetch the API key from vault
using some credentials, then use that API key at another endpoint. That
endpoint validates the API key.
This proxy takes, for example, an API key and asks some endpoint if the
API key is valid. In this regard, vault does (to my understanding) not play
a role. It might be possible to first fetch the key from vault, then use it
at Oathkeeper, and Oathkeeper validates it at another endpoint. To
Oathkeeper itself however, it doesn't matter at all how the credentials
were obtained.
Let me know if I blatantly misunderstood something, but I don't see how
the integration makes sense. That is why I asked for specifics on this
matter.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#88 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ATuCwgA0UPXhKXn7jbJ0Po_kivIUefSQks5uGh1JgaJpZM4VP0Bt>
.
|
|
I took some time yesterday to look through the docs and wasn't able to figure out a way to make a useful integration. I'm thus closing this issue. Regardless, thank you for your ideas & time. If I missed something please let me know and I'll immediately reopen the issue, I think integration with vault would be amazing. |
I currently use Vault from hashicorp and it's pretty good.
It seems to make slot of sense to support Vault as an Authenticator for Key system.
I don't know enough about the details of oxy system to suggest the exact interface connections though. Maybe you do.
The reasoning for keeping vault is because users can request access to a resource if they need it and the vault system provides admin ticketing. Also of course it provides the secure storage.
Anyway happy to discuss
The text was updated successfully, but these errors were encountered: