Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(vault): vault lua module, integration with jwt-auth authentication plugin #5745

Merged
merged 28 commits into from
Dec 15, 2021
Merged

feat(vault): vault lua module, integration with jwt-auth authentication plugin #5745

merged 28 commits into from
Dec 15, 2021

Conversation

bisakhmondal
Copy link
Member

@bisakhmondal bisakhmondal commented Dec 8, 2021
edited
Loading

What this PR does / why we need it:

This PR integrates HashiCorp Vault with APISIX jwt-auth authentication plugin.
With this PR

  • APISIX can store, delete, fetch data from vault (lua module)
  • jwt-auth can retrieve private and public keys from the vault's encrypted kv storage.
  • jwt-auth can store and retrieve signing secrets into and from the vault.

Pre-submission checklist:

  • Did you explain what problem does this PR solve? Or what new features have been added?
  • Have you added corresponding test cases?
  • Have you modified the corresponding document?
  • Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

spacewander
spacewander reviewed Dec 9, 2021
View reviewed changes
apisix/core/vault.lua Outdated Show resolved Hide resolved
apisix/plugins/jwt-auth.lua Outdated Show resolved Hide resolved
apisix/plugins/jwt-auth.lua Outdated Show resolved Hide resolved
apisix/admin/consumers.lua Outdated Show resolved Hide resolved
apisix/plugins/jwt-auth.lua Outdated Show resolved Hide resolved
spacewander
spacewander requested changes Dec 10, 2021
View reviewed changes
Copy link
Member

@spacewander spacewander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bisakhmondal
Please don't ignore the suggestion from the maintainer, thanks!

spacewander
spacewander reviewed Dec 10, 2021
View reviewed changes
t/plugin/jwt-auth-vault.t Outdated Show resolved Hide resolved
docs/en/latest/plugins/jwt-auth.md Outdated Show resolved Hide resolved
docs/en/latest/plugins/jwt-auth.md Outdated Show resolved Hide resolved
docs/en/latest/plugins/jwt-auth.md Outdated Show resolved Hide resolved
conf/config-default.yaml Outdated
@@ -281,6 +281,17 @@ etcd:
# the default value is true, e.g. the certificate will be verified strictly.
#sni: # the SNI for etcd TLS requests. If missed, the host part of the URL will be used.

# storage backend for sensitive data storage and retrieval
vault:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's comment out this section, we do not need to require vault by default.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Err. Actually, I mean like this :

#vault:
  # ...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, I get it now 😄

Copy link
Member Author

@bisakhmondal bisakhmondal Dec 12, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. Thanks for the review

apisix/plugins/jwt-auth.lua Outdated
@@ -28,7 +29,7 @@ local ngx_time = ngx.time
local sub_str = string.sub
local plugin_name = "jwt-auth"
local pcall = pcall

local jwt_vault_prefix = "jwt-auth/keys/"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about changing it to consumer/<username>/jwt-auth/?
I think about it several times. Although it requires to change several places in this PR, the new format is more extendable, and easier to recognize. People will remember the username better than the key.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion. Addressed

spacewander
spacewander reviewed Dec 12, 2021
View reviewed changes
conf/config-default.yaml Outdated
@@ -281,6 +281,17 @@ etcd:
# the default value is true, e.g. the certificate will be verified strictly.
#sni: # the SNI for etcd TLS requests. If missed, the host part of the URL will be used.

# storage backend for sensitive data storage and retrieval
vault:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Err. Actually, I mean like this :

#vault:
  # ...

t/plugin/jwt-auth-vault.t Outdated
}
}
}]],
[[{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we remove the expected response? We don't need to check this output anymore. More other tests already do it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. Done

@spacewander
Copy link
Member

My review is almost done, only a few things need to be addressed. 😄

spacewander
spacewander reviewed Dec 13, 2021
View reviewed changes
t/plugin/jwt-auth-vault.t Outdated


=== TEST 6: sign a HS256 jwt and access/verify /secure-endpoint
--- extra_yaml_config
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can set up a common yaml config in this file?

bisakhmondal
bisakhmondal commented Dec 13, 2021
View reviewed changes
t/plugin/jwt-auth-vault.t
Comment on lines +42 to +51
my $vault_config = $block->extra_yaml_config // <<_EOC_;
vault:
host: "http://0.0.0.0:8200"
timeout: 10
prefix: kv/apisix
token: root
_EOC_

$block->set_value("extra_yaml_config", $vault_config);

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is it now? @spacewander

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@spacewander spacewander merged commit 0d4f65a into apache:master Dec 15, 2021
@spacewander spacewander mentioned this pull request Dec 31, 2021
Closed
@juzhiyuan juzhiyuan mentioned this pull request Jan 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spacewander spacewander spacewander approved these changes

@tzssangglass tzssangglass tzssangglass approved these changes

@bzp2010 bzp2010 Awaiting requested review from bzp2010

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bisakhmondal @spacewander @tzssangglass