Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed token metadata for policy templating #19888

Open
h33p opened this issue Mar 31, 2023 · 0 comments
Open

Fixed token metadata for policy templating #19888

h33p opened this issue Mar 31, 2023 · 0 comments
Labels
core/token

Comments

@h33p
Copy link

h33p commented Mar 31, 2023
edited
Loading

Is your feature request related to a problem? Please describe.
There is a clear demand to template policies based on token metadata. Currently, there is no way to do so, because of potential security risks of child tokens changing their metadata and walking around policies.

Here's an example issue: #10460

Describe the solution you'd like
The solution could work analogously to orphan tokens. I have 2 possible options:

We can create "fixed" metadata with one the following:

  1. sudo or root access to the auth/token/create and setting fixed_metadata parameter to true.
  2. Access to the auth/token/create/:role that has fix_metadata set.

Then policies may template {{ token.metadata }}, if and only if fixed_metadata is set to true. Pseudocode of how this would be handled in code:

def metadata_key(self, key):
    if not self.fixed_metadata or not key in self.metadata:
        return None
    self.metadata[key]

fixed_metadata "sticks" to all child non-orphan tokens, and whenever that key is set to true, the token is refused write access to token metadata.

Another option would be additional field in tokens, called fixed_metadata. We can create "fixed" metadata with one of the following:

  1. sudo or root access to the auth/token/create and setting fixed_metadata parameter to the metadata we want to fix to the token.
  2. Access to the auth/token/create/:role that has fix_metadata set to true, and setting fixed_metadata to the metadata we want to fix to the token.

Same as the previous option, fixed_metadata "sticks" to all child non-orphan tokens.

Describe alternatives you've considered
Multiple AppRoles. While that works, it limits flexibility a lot, because we have a generic model of where we put secrets for different apps, and keeping track of that in terraform is very verbose. All we want is the following policy:

path "secret/data/{{ token.metadata.subpath }}/*" {
    capabilities = ["read", "list"]
}

path "secret/metadata/{{ token.metadata.subpath }}/*" {
    capabilities = ["read", "list"]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core/token
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@h33p @heatherezell