Skip to content

Latest commit

 

History

History
402 lines (331 loc) · 9.09 KB

README.md

File metadata and controls

402 lines (331 loc) · 9.09 KB

Vault Plugin: Chef Node Auth Backend

The "chef-node" auth backend allows Nodes registered with a Chef server to authenticate using their private keys.

Enable Chef node authentication in vault

$ vault write sys/plugins/catalog/chefnode-auth-plugin \
  sha_256=<expected SHA256 Hex value of the plugin binary> \
  command=vault-plugin-auth-chefnode
$ vault auth enable -path=chef-node -plugin-name=chefnode-auth-plugin plugin

Configuration

The endpoint for the login is auth/chef-node/config.

The backend needs to be configured with the API endpoint of the Chef server it is going to be authenticating against. It also needs a client to be setup in the Chef server that it will connect as. The client needs to be able to read the client objects of the nodes that it will be authenticating. The knife acl plugin can be used to setup the correct permissions.

$ knife acl add client vault containers clients read
$ knife acl bulk add client vault clients ".*" read

This will give the vault client read permissions to newly created clients and add the read perimssions to any existing clients.

Configuration Parameters

  • client_name (string,required) - Name of the client to connect as
  • client_key (string,required) - PEM encoded private key for the client
  • base_url (string,required) - URL of Chef API endpoint
  • default_policies (string, optional) - Comma seperated list of policies to apply to all clients authentiating to this endpoint

Via the CLI

$ vault write auth/chef-node/config client_name=vault [email protected] \
  base_url=https://manage.chef.io/organizations/vaulttest default_policies=foo,bar

Authentication

The endpoint for the login is auth/chef-node/login.

Authentication Parameters

  • client_name (string, required) - The name of the Chef client we are authenticating
  • signature (string, required) - Base64 encoded Chef authentication signature. As generated by mixlib-authentication rubygem.
  • signature_version (string, required) - The version of the Chef signature used. Currently should be set to 'algorithm=sha1;version=1.0;'
  • timestamp (string, required) - Timestamp used to generate signature in time.RFC3339 format

Via the API

$ curl -X POST "http://$VAULT_ADDR/v1/auth/chef-node/login" -d \
'{
    "client_name": "test_client",
    "signature_version": "algorithm=sha1;version=1.0;",
    "timestamp": "2016-10-26T04:47:09Z",
    "signature": "s9CqukciwdqA7f4H23Wz5xWbnMaFjurEPKpHnQoa8pGLrFVWPYiOAmO7DffTROxQjtEBqeufxfUwYE1oXcd7K7F/7GEtjSqTbWZBvw=="
}' 

The response will be in JSON. For Example:

{
  "request_id": "7b686c95-fb90-d5d0-9a8b-9d4d321b2d06",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "wrap_info": null,
  "warnings": null,
  "auth": {
    "client_token": "a147bdb1-e4fe-88db-68a8-e7aa992ce294",
    "accessor": "21d56cd9-dfc5-425d-667e-f200a88922d3",
    "policies": [
      "default"
    ],
    "metadata": null,
    "lease_duration": 2764800,
    "renewable": true
  }
}

Policy mapping

Policies can be mapped to a Chef client.

The mapping of Chef client to policies is managed by using the client/ path.

Chef client

Policies mapped to a Chef client will apply to only that client.

$ vault write auth/chef-node/client/vault.example.com policies=cp

API

/auth/chef-node/config

POST

Description
Configure the Chef Node authentication backend.
Method
POST
URL
/auth/chef-node/config
Parameters
  • client_name required Name of the Chef client vault should use to connect to the Chef server.
  • client_key required Private key of the Chef client vault should use to connect to the Chef server.
  • default_policies optional Comma seperated list of policies to apply to all authenticated clients
Returns
204 response code.

GET

Description
Retrieve the Chef Node configuration.
Method
GET
URL
/auth/chef-node/config
Parameters
None
Returns
    {
      "request_id": "c8f4ee10-2811-5456-98d6-ab71cf969f79",
      "lease_id": "",
      "lease_duration": 0,
      "renewable": false,
      "data": {
        "base_url": "https://manage.chef.io/organizations/vault",
        "client_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEo....py0YxXVJRIr5264hWN3y9\n-----END RSA PRIVATE KEY-----",
        "client_name": "vault"
      },
     "warnings": [
       "Read access to this endpoint should be controlled via ACLs as it will return the configuration information as-is, including any passwords."
     ]
   }

/auth/chef-node/login

POST

Description
Authenticate to Vault.
Method
POST
URL
/auth/chef-node/login
Parameters
  • client_name required Name of the Chef node that is authenticating.
  • signature_version required Version of the Chef signature to use. Currently only "algorithm=sha1;version=1.0" is supported
  • timestamp required Timestamp used when the signature was generated.
  • signature required Chef authentication signature Base 64 encoded.
Returns
    {
       "request_id": "7b686c95-fb90-d5d0-9a8b-9d4d321b2d06",
       "lease_id": "",
       "renewable": false,
       "lease_duration": 0,
       "data": null,
       "wrap_info": null,
       "warnings": null,
       "auth": {
         "client_token": "a147bdb1-e4fe-88db-68a8-e7aa992ce294",
         "accessor": "21d56cd9-dfc5-425d-667e-f200a88922d3",
         "policies": [
          "default"
         ],
         "metadata": null,
         "lease_duration": 2764800,
         "renewable": true
       }
     }

/auth/chef-node/clients

LIST

Description
Retrieve the list of configured Chef clients.
Method
LIST/GET
URL
/auth/chef-node/clients (LIST) or /auth/chef-node/clients?list=true (GET)
Parameters
None
Returns
    {
      "request_id": "a19f3fd5-d38b-9dd9-9032-ea55d4fcb496",
      "lease_id": "",
      "renewable": false,
      "lease_duration": 0,
      "data": {
        "keys": [
          "vault.example.com"
        ]
      },
      "wrap_info": null,
      "warnings": null,
      "auth": null
    }

/auth/chef-node/client/[client_name]

POST

Description
Set the policy mappings for a Chef client.
Method
POST
URL
/auth/chef-node/client/[client_name]
Parameters
  • policies required Comma separated list of policies to associate to the client.
Returns
204 response code.

GET

Description
Get the policy mappings for a Chef client.
Method
GET
URL
/auth/chef-node/client/[client_name]
Parameters
None
Returns
    {
        "request_id": "07849a62-388a-f9ec-ab90-36848f90718d",
        "lease_id": "",
        "lease_duration": 0,
        "renewable": false,
        "data": {
        "policies": [
           "default",
           "p1",
           "p2"
        ]
      },
      "warnings": null
    }

DELETE

Description
Delete policy mappings for a Chef client.
Method
DELETE
URL
/auth/chef-node/client/[client_name]
Parameters
None
Returns
204 response code