hvac
add kerberos auth support
Hi, privately I implemented Kerberos auth on top of HVAC.
Vault now supports SPNEGO auth (unceremoniously documented here) https://www.vaultproject.io/api/auth/kerberos#login-with-kerberos
The Kerberos auth endpoints are nearly identical to LDAP, so I simply subclassed hvac.api.auth_methods.ldap.Ldap and replaced the DEFAULT_MOUNT_POINT where needed.
Kerberos requires 2 components to work
-
gssapi -
requests_gssapi
I support both token-based-auth by reading an existing kerberos context from kinit / token-cache as well as keytab authentication.
I can create two explicit login methods, or just have "one".
Currently I have one login method, when keytab_path is omitted it looks for an existing kerberos context via kerberos cache through gssapi.
Here is the signature of my kerberos login method, I tried to keep the arguments similar to what the vault cli expects
def login(self,
username,
service=None,
realm=None,
keytab_path=None,
krb5conf_path=None,
use_token=True,
mount_point=DEFAULT_MOUNT_POINT):
If you're interested in this addition I will prepare a pull request
Looking forward to the feedback.
I don't have much of a stake in kerberos support personally. However we've historically added any non-disruptive features that folks request as they come up in GitHub issues or otherwise 😄. On the "kerberos requires 2 components to work" point, the implication is that the proposed functionality would introduce two additional requirements in the form of gssapi and requests_gssapi, correct? That is the only bit from the issue's description that gives me some pause. Previously, I have endeavored to keep hvac's requirements as minimal as possible (based on a vague consideration of "hvac is used in secure contexts so keeping the number of requirements to a minimum is helpful in some senses").
All that said, I'm always happy to check out any PR! Just wanted to set that context (and I imagine I would probably first look at ways at enabling the behavior without necessarily needing to include the additional requirements).
We're also interested in kerberos support. Was there any further progress here, or have you shared your implementation in some way (e.g. a PR) @bendemott ?
Hi @soxofaan - I'm trying to dig up the source I wrote so a PR can be started, if you don't hear from me in 7 days ping me again.
This one would be really useful in any environment with a KDC (e.g. Microsoft Active Directory)
For what it's worth, below is the code one can use to do vault w/ GSSAPI, but w/o hvac
The code implies one single additional dependency per platform
winkerberos ; platform=="Windows"
kerberos ; platform!="Windows"
import requests
try:
import kerberos
except:
import winkerberos as kerberos
vault_host = 'vault.service.ny.consul'
service = f'HTTP@{vault_host}'
vault = f'{vault_host}:8200'
rc, vc = kerberos.authGCCClientInit(service=service, mech_oid=kerberos.GSS_MECH_OID_SPNEGO)
kerberos.authGSSClientStep(vc, '')
token - kerberos .authGSSClientResponse(vc)
secret_url = f'https://{vault_host}v1/apps/path/to/some/secret'
auth_url = f'https://{vault}/v1/auth/krb5_ep/login'
r = requests.post(auth_url, headers={'Authorization': f'Negotiate {token}'})
vault_token = r.json()['auth']['client_token']
r = requests.get(secret_url, headers={'X-Vault-Token': vault_token})
secret = r.json()['data']['data']
Hi @soxofaan - I'm trying to dig up the source I wrote so a PR can be started, if you don't hear from me in 7 days ping me again.
Hi @bendemott , just seeing this now due to the new comment, figured I'd check in with you to see if you're still interested in opening an PR for this. I think it would be a great addition to the project. No rush, but also don't worry too much about getting the code perfect, we'll work through it in the PR.
