Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

agent: allow AppRole Auto-Auth when bind_secret_id = false #6324

Merged
merged 6 commits into from
Apr 1, 2019
Merged

agent: allow AppRole Auto-Auth when bind_secret_id = false #6324

merged 6 commits into from
Apr 1, 2019

Conversation

deblasis
Copy link
Contributor

@deblasis deblasis commented Mar 2, 2019

Currently, if you have an AppRole configured with bind_secret_id = false and at least a constraint, you can login with just the role_id.

Vault agent doesn't support this method for Auto-Auth as it expects a mandatory secret_id_file_path.

Changes:

  • This PR makes secret_id_file_path optional.
  • Added unit tests in order to provide coverage for the default/current behaviour and for the new logical branches.
  • Updated docs to reflect the changes

The code should be self-explanatory but there's always room for improvements 😄

I hope to see this merged at some point, I hate maintaining forks 😀

@deblasis
agent: allow AppRole Auto-Auth when bind_secret_id = false
8e9029c 
New feature driven by our requirements.
I believe it would be nice to have.
@jefferai jefferai mentioned this pull request Mar 2, 2019
Closed
jefferai
jefferai reviewed Mar 2, 2019
View reviewed changes
command/agent/auth/approle/approle.go
@@ -180,9 +196,6 @@ func (a *approleMethod) Authenticate(ctx context.Context, client *api.Client) (s
}
}

if a.cachedRoleID == "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the purpose of removing this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jefferai, it was not removed, just moved few lines above: https://github.com/hashicorp/vault/pull/6324/files/8e9029c6b9d1489f4606c126d306eeec1aa368b8#diff-fa73d70313fadbda55b7ae69904d6349R115

The reason being the fact that we return in https://github.com/hashicorp/vault/pull/6324/files/8e9029c6b9d1489f4606c126d306eeec1aa368b8#diff-fa73d70313fadbda55b7ae69904d6349R120 whenever we are trying to authenticate with just the role_id

jefferai
jefferai reviewed Mar 2, 2019
View reviewed changes
command/agent/auth/approle/approle.go Outdated
@@ -21,6 +21,7 @@ type approleMethod struct {

roleIDFilePath string
secretIDFilePath string
secretIDLessMode bool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason you need this bool? Seems like simply checking the path for emptiness should be sufficient.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 You are right, PR updated

deblasis
deblasis commented Mar 3, 2019
View reviewed changes
Copy link
Contributor Author

@deblasis deblasis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

command/agent/auth/approle/approle.go
@@ -180,9 +196,6 @@ func (a *approleMethod) Authenticate(ctx context.Context, client *api.Client) (s
}
}

if a.cachedRoleID == "" {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jefferai, it was not removed, just moved few lines above: https://github.com/hashicorp/vault/pull/6324/files/8e9029c6b9d1489f4606c126d306eeec1aa368b8#diff-fa73d70313fadbda55b7ae69904d6349R115

The reason being the fact that we return in https://github.com/hashicorp/vault/pull/6324/files/8e9029c6b9d1489f4606c126d306eeec1aa368b8#diff-fa73d70313fadbda55b7ae69904d6349R120 whenever we are trying to authenticate with just the role_id

command/agent/auth/approle/approle.go Outdated
@@ -21,6 +21,7 @@ type approleMethod struct {

roleIDFilePath string
secretIDFilePath string
secretIDLessMode bool
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 You are right, PR updated

@jefferai jefferai added this to the 1.1.1 milestone Mar 29, 2019
jefferai
jefferai requested changes Apr 1, 2019
View reviewed changes
Copy link
Member

@jefferai jefferai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing, LGTM otherwise.

@jefferai jefferai merged commit 14138f6 into hashicorp:master Apr 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jefferai jefferai jefferai requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.1.1
Development

Successfully merging this pull request may close these issues.
2 participants
@deblasis @jefferai