athenzauth

package module
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 22, 2019 License: Apache-2.0 Imports: 13 Imported by: 0

README

vault-plugin-auth-athenz

CircleCI release Go Report Card codecov Codacy Badge GolangCI

Overview

Install plugin
$ go get github.com/katyamag/vault-plugin-auth-athenz/cmd/vault-plugin-auth-athenz
Prepare vault server(minimun settings)

NOTE: Set the api_addr to your vault config

$ VAULT_PLUGIN_PATH="/private/tmp/vault-plugins"

$ cat<< EOF | tee /tmp/vault.hcl
log_level = "DEBUG"
api_addr = "http://127.0.0.1:8200"
plugin_directory = "${VAULT_PLUGIN_PATH}"
disable_mlock = true

storage "inmem" {}

listener "tcp" {
  address       = "127.0.0.1:8200"
  tls_disable = 1
}
EOF

Create the config for athenz.

$ ATHENZ_URL="https://localhost:4443/zts/v1"
$ ASSERTION_RESOURCE="vault"
$ ASSERTION_ACTION="access"

$ cat<<EOF | tee /tmp/vault/plugin/plugin_config.yaml
---
athenz:
  url: ${ATHENZ_URL}
  policyrhRefreshDuratuon: 6h
  hdr: Athenz-Principal-Auth
  domain: sample.domain
  policy:
    resource: ${ASSERTION_RESOURCE}
    action: ${ASSERTION_ACTION}
EOF
Register the plugin to Vault
$ PLUGIN_DIR=$(which vault-plugin-auth-athenz)
$ PLUGIN_CONF_FILE="/tmp/vault/plugin/plugin_conf.yaml"

$ SHA256=$(shasum -a 256 "${PLUGIN_DIR}" | cut -d' ' -f1)
$ vault plugin register -sha256=$SHA256 -args="${PLUGIN_CONF_FILE}" -command=vault-plugin-auth-athenz athenz

Enable plugin

NOTE: If you don't set the --options, this plugin reads the config file from default path /etc/vault/plugin/athenz_plugin.yaml.

$ vault auth enable \
-path=athenz \
-plugin-name=athenz \
-options="--config-file=${PLUGIN_CONF_FILE}" \
plugin
Check plugins
$ vault auth list
Path       Type      Accessor                Description
----       ----      --------                -----------
athenz/    athenz    auth_athenz_9fd2cac8    n/a
cert/      cert      auth_cert_e990af0b      n/a
token/     token     auth_token_9420f044     token based credentials

$ vault read /sys/plugins/catalog/auth/athenz
Key        Value
---        -----
args       []
builtin    false
command    vault-plugin-auth-athenz
name       athenz
sha256     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Configuration
  1. Configure user with athenz principal that are allowed to authenticate
$ vault write auth/athenz/clients/hoge name=hoge role=vault_client_role
  1. login with athenz n-token
$ vault write auth/athenz/login name=hoge token=$NTOKEN
Disable and Delete plugin
$ vault auth disable athenz
$ vault delete /sys/plugins/catalog/auth/athenz

Athenz Auth Method (API)

Create Athenz Role Entry for Vault
Method Path Produces
POST /auth/athenz/clients/:name 204 (empty body)

Parameters

  • name: (string: <required>) - The name of the vault role
  • ntoken: (string: <required>) - The Ntoken (N-Tokens) for Athenz authorization

Example

$ vault write auth/athenz/clients/hoge \
roletoken=$ROLE_TOKEN \

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Factory 

func Factory(ctx context.Context, c *logical.BackendConfig) (logical.Backend, error)

Factory is used by framework

Types

type AthenzEntry 

type AthenzEntry struct {
	tokenutil.TokenParams

	Name     string
	Role     string
	Policies []string
	TTL      time.Duration
	MaxTTL   time.Duration
}

AthenzEntry is used to report that the user requests to read athenz/ path

Source Files

View all Source files

Directories

Path Synopsis
cmd
vault-plugin-auth-athenz
pkg
athenz
config
logger
testutils

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.