elasticsearch-readonlyrest-plugin icon indicating copy to clipboard operation
elasticsearch-readonlyrest-plugin copied to clipboard

Published 20 hours ago verified publisher icon sscarduzio

Vault authentication planned ?

Open LordFPL opened this issue 6 years ago • 5 comments

Hello, We use more and more Vault (Hashicorp) in our company, and I wonder if it was planned an integration of this type? I am starting to test authentications under readonlyrest, and am a bit embarrassed on password side with the two main ones:

  • login / pass in in ror = leads the configuration in hard side application client, and a change in two place when one wishes to make the rotation of password (ror + client).
  • authentication via ldap = a clear client-side password and an account creation on a directory just to access an application (but a rotation of password doesn't need a restart of ror).

Vault on the other hand, from my point of view, will allow:

  • dynamic recovery of a client-side token (for example, via an approle).
  • access control side ror via vault with list of token associated vault policies.
  • potentially, use of the content of policies for indices allowed or not.

For now ldap authentication will in any case allow us to do many things (thank you for this plugin! :)), but I'll be curious to know your opinion on this possible evolution.

Thx in advance.

LordFPL avatar Mar 16 '18 09:03 LordFPL

I'm pretty sure with a minimum of devops skills you can wrap ROR deployment and hook the decoded secrets into environmental variables, which are by the way supported in readonlyrest.yml.

What do you think?

sscarduzio avatar Mar 16 '18 19:03 sscarduzio

@LordFPL or did you mean implementing vault as a runtime authentication connector like we have LDAP?

sscarduzio avatar Mar 18 '18 15:03 sscarduzio

Hello,

Sorry for late answer. Yes, i mean a runtime authentication like ldap. I actually run elasticsearch cluster with nomad, and all config is already taken via vault (readonlyrest.yml and elasticsearch config file are generated via dynamic vars). My main "problem" (it's not a very critical problem ;)) is the two main auth in readonlyrest are not totaly satisfying me... login/pass in conf is too static... and ldap is mainly (imho) for "humans". I already use vault for other usage, and i love the approle method for apps, and all the possible auditing with it. That's why i ask your opinion about this future feature :)

Thx for your time and all you already done :)

LordFPL avatar Mar 18 '18 20:03 LordFPL

Got it, and it's quite interesting idea. Too bad I didn't find any asynchronous vault library for Java. 🤦🏻‍♂️

sscarduzio avatar Mar 19 '18 03:03 sscarduzio

In my case, i can find a solution with a watch for change in vault... and regenerate the readonlyrest config... but if i understand well, hot reload is not possible ?

For information, i read a post on hashicorp page about an integration with JWT (https://www.hashicorp.com/blog/secure-kubernetes-deployments-vault-banzai-cloud)... but i'm not a develloper... and i don't understand well JWT tokens...

In all case, thx for reading :)

LordFPL avatar Mar 26 '18 13:03 LordFPL