[WIP] Support custom max Nomad token name length [supersedes https://github.com/hashicorp/vault/pull/4361] #5117
Conversation
| "max_token_length": &framework.FieldSchema{ | ||
| Type: framework.TypeInt, | ||
| Description: "Max length for generated Nomad tokens", | ||
| // Default length is 256 as of |
There was a problem hiding this comment.
I would leave these comments out since they can get out of date pretty quickly.
| @@ -96,6 +108,20 @@ func (b *backend) pathConfigAccessWrite(ctx context.Context, req *logical.Reques | |||
| conf.Token = token.(string) | |||
| } | |||
|
|
|||
| // max_token_length has default of 256 | |||
| conf.MaxTokenLength = data.Get("max_token_length").(int) | |||
| envMaxTokenLength := os.Getenv("NOMAD_MAX_TOKEN_LENGTH") | |||
There was a problem hiding this comment.
I don't think you need an environment variable for this value. These are usually reserved for sensitive values or cloud SDK symmetry and most things should just get store directly in barrier storage.
| conf, _ := b.readConfigAccess(ctx, req.Storage) | ||
| // establish a default | ||
| tokenNameLength := maxTokenNameLength | ||
| if conf != nil { |
There was a problem hiding this comment.
We should only set the value to the config value if it is greater than zero since that will be the default when deserializing.
| // of the pseudo randomized token name is the part that gets trimmed off, | ||
| // weaking it's randomness. | ||
| if len(tokenName) > tokenNameLength { | ||
| tokenName = tokenName[0:tokenNameLength] |
There was a problem hiding this comment.
I think the more idiomatic way of doing this is tokenName[:tokenNameLength]
| @@ -23,6 +26,14 @@ func pathConfigAccess(b *backend) *framework.Path { | |||
| Type: framework.TypeString, | |||
| Description: "Token for API calls", | |||
| }, | |||
|
|
|||
| "max_token_length": &framework.FieldSchema{ | |||
There was a problem hiding this comment.
Maybe this parameter should be named max_token_name_length.
| @@ -58,8 +64,11 @@ func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *fr | |||
|
|
|||
| // Handling nomad maximum token length | |||
| // https://github.com/hashicorp/nomad/blob/d9276e22b3b74674996fb548cdb6bc4c70d5b0e4/nomad/structs/structs.go#L115 | |||
There was a problem hiding this comment.
You can remove this comment too.
| // randomWithPrefix is used to generate a unique name with a prefix, for | ||
| // randomizing names in acceptance tests | ||
| func randomWithPrefix(name string) string { | ||
| reseed() |
There was a problem hiding this comment.
What is the reseed function for? It is seeding the global rand source, but then you're using a new random source in your Sprintf. You can alternatively also use an existing utility like base62.Random() to generate random strings.
| { | ||
| title: "ConfigOverride-LongName-envtrim", | ||
| roleName: "testlongerrolenametoexceed64charsdddddddddddddddddddddddd", | ||
| envLengthString: "16", |
There was a problem hiding this comment.
Some good additional test cases would be this envvar being out of range or not a valid integer.
| // https://github.com/hashicorp/nomad/blob/d9276e22b3b74674996fb548cdb6bc4c70d5b0e4/nomad/structs/structs.go#L115 | ||
| if len(tokenName) > 64 { | ||
| tokenName = tokenName[0:63] | ||
| // Note: if the given role name is suffeciently long, the UnixNano() portion |
| tokenName = tokenName[0:63] | ||
| // Note: if the given role name is suffeciently long, the UnixNano() portion | ||
| // of the pseudo randomized token name is the part that gets trimmed off, | ||
| // weaking it's randomness. |
|
Test results: |
| "max_token_name_length": &framework.FieldSchema{ | ||
| Type: framework.TypeInt, | ||
| Description: "Max length for name of generated Nomad tokens", | ||
| Default: maxTokenNameLength, |
There was a problem hiding this comment.
One more thing here. You should probably not set the default value in the path config. This will mean we will store this value in storage and if we change the default again, they will have an explicit value. You can just omit the Default.
There was a problem hiding this comment.
Omitting the default will leave a zero value in the struct and be serialized like that. We could change the accessConfig.MaxTokenNameLength to be an *int and use nil there, or just ignore the value when it's zero. I'll assume the later for now
There was a problem hiding this comment.
Or set it the default to -1 maybe?
There was a problem hiding this comment.
I think the zero value is fine, it is the same as default. I don't think we need to do any int pointer work. Does this api support create vs update? If so, you should be able to handle the case where they don't provide the value and just patch the updated fields.
Continuing #4361 to allow users to supply a custom max length for Nomad credential token names. For Nomad version 0.8.3 and before, the max length for the name of the token is 64 characters. With Nomad 0.8.4+, the max length is now 256.
Here we apply a default max length of 256, but allow users to override that with either the
max_token_lengthattribute, or using theNOMAD_MAX_TOKEN_LENGTHenvironment variable.NOTE: I've switched the tests to use my fork of the Dockerized Nomad at catsby/nomad on docker hub. The current version is 0.8.3 and I needed 0.8.4 to support the new max length.
Updating the docs now and will push when they are done. Opening this PR now for early review.