Subject x500UniqueIdentifier control #4755
Comments
MarcosDY
added
triage/in-progress
azdagron
added a commit
to azdagron/spire
that referenced
this issue
Feb 2, 2024
Introduced in 1.4.2, this practice has turned out to be problematic. This change updates SPIRE Server to no long emit attribute in the X509-SVID subject. It also introduces a new built-in CredentialComposer to add the attribute back in for deployments that rely on it. The plugin only augments workload X509-SVIDs. Server and agent X509-SVIDs are not modified. Fixes: spiffe#4755 Fixes: spiffe#3110 Signed-off-by: Andrew Harding <[email protected]>
azdagron
added a commit
to azdagron/spire
that referenced
this issue
Feb 2, 2024
Introduced in 1.4.2, this practice has turned out to be problematic. This change updates SPIRE Server to no long emit attribute in the X509-SVID subject. It also introduces a new built-in CredentialComposer to add the attribute back in for deployments that rely on it. The plugin only augments workload X509-SVIDs. Server and agent X509-SVIDs are not modified. Fixes: spiffe#4755 Fixes: spiffe#3110 Signed-off-by: Andrew Harding <[email protected]>
|
Hi @kfox1111 - thank you very much for bringing this to our attention. The unique identifier was added in response to #3110. At the time, conformance appeared to be the right thing to do. This issue, along with other feedbacks, have shown the change to present significant UX challenges, and after several discussions we've decided to roll it back. For users that require this to be set, to satisfy policy or otherwise, we will be shipping a new built-in credential composer plugin (currently named "uniqueid") and there is an open PR to both roll back the change and introduce the new plugin here: #4862 |
evan2645
added
priority/backlog
amartinezfayo
pushed a commit
that referenced
this issue
Feb 7, 2024
* No longer emit x509UniqueIdentifier in X509-SVIDs Introduced in 1.4.2, this practice has turned out to be problematic. This change updates SPIRE Server to no long emit attribute in the X509-SVID subject. It also introduces a new built-in CredentialComposer to add the attribute back in for deployments that rely on it. The plugin only augments workload X509-SVIDs. Server and agent X509-SVIDs are not modified. Fixes: #4755 Fixes: #3110 Signed-off-by: Andrew Harding <[email protected]>
faisal-memon
pushed a commit
to faisal-memon/spire
that referenced
this issue
Feb 7, 2024
* No longer emit x509UniqueIdentifier in X509-SVIDs Introduced in 1.4.2, this practice has turned out to be problematic. This change updates SPIRE Server to no long emit attribute in the X509-SVID subject. It also introduces a new built-in CredentialComposer to add the attribute back in for deployments that rely on it. The plugin only augments workload X509-SVIDs. Server and agent X509-SVIDs are not modified. Fixes: spiffe#4755 Fixes: spiffe#3110 Signed-off-by: Andrew Harding <[email protected]> Signed-off-by: Faisal Memon <[email protected]>
faisal-memon
pushed a commit
to faisal-memon/spire
that referenced
this issue
Feb 9, 2024
* No longer emit x509UniqueIdentifier in X509-SVIDs Introduced in 1.4.2, this practice has turned out to be problematic. This change updates SPIRE Server to no long emit attribute in the X509-SVID subject. It also introduces a new built-in CredentialComposer to add the attribute back in for deployments that rely on it. The plugin only augments workload X509-SVIDs. Server and agent X509-SVIDs are not modified. Fixes: spiffe#4755 Fixes: spiffe#3110 Signed-off-by: Andrew Harding <[email protected]> Signed-off-by: Faisal Memon <[email protected]>
sriyer
pushed a commit
to spire-vault/spire
that referenced
this issue
Feb 23, 2024
* No longer emit x509UniqueIdentifier in X509-SVIDs Introduced in 1.4.2, this practice has turned out to be problematic. This change updates SPIRE Server to no long emit attribute in the X509-SVID subject. It also introduces a new built-in CredentialComposer to add the attribute back in for deployments that rely on it. The plugin only augments workload X509-SVIDs. Server and agent X509-SVIDs are not modified. Fixes: spiffe#4755 Fixes: spiffe#3110 Signed-off-by: Andrew Harding <[email protected]>
rushi47
pushed a commit
to rushi47/spire
that referenced
this issue
Apr 11, 2024
* No longer emit x509UniqueIdentifier in X509-SVIDs Introduced in 1.4.2, this practice has turned out to be problematic. This change updates SPIRE Server to no long emit attribute in the X509-SVID subject. It also introduces a new built-in CredentialComposer to add the attribute back in for deployments that rely on it. The plugin only augments workload X509-SVIDs. Server and agent X509-SVIDs are not modified. Fixes: spiffe#4755 Fixes: spiffe#3110 Signed-off-by: Andrew Harding <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Trying to hook up spire-server with mysql. Subjects for the client are being generated like:
But mysql can not pattern match the Subject for authentication so has to be tweaked for every instance rather then being able to set more generically.
Could there please be an option added to the spiffe entry to let the end user modify the subject behavior for that entry to drop the x509UniqueIdentifier?
The text was updated successfully, but these errors were encountered: