Closed markltbaker closed 5 years ago
I'm also extremely interested in adding namespace support to get the Jenkins plugin functional with Enterprise Vault.
If you're authenticating via approle in another namespace, how are you using tokens generated from the login in other namespaces? My use case has each namespace manage it's on auth and secret backends, for that namespace.
hmmm. You make a very good point. We are authenticating at the root namespace for interactive users, but for AppRoles we are doing that at the namespace level. So I don't think I do actually need that optional namespace param in Auth.loginByAppRole().... Unless someone else wants it, I'll just take that out. Thanks for the feedback!
@markltbaker The code works with top level namespaces, but child namespaces have a problem because the "/" delimiter gets URL encoded.
"infosec" works, but "infosec/devops" gets URL encoded to "infosec%2Fdevops". I'll see if our dev can post his patches to this issue, but I at least wanted to comment incase the PR gets merged before I can get it submitted.
Sorry for the delayed response on this, guys. I've been pulled in other directions recently, and there's been a bit of a lag while recruiting other developers to lend some code in cranking out features.
Another internal developer here has been working on a branch to add support for the V2 key-value store. He went ahead and added enterprise namespace support to that branch while he was at it. The PR just went up (see link below). Once a couple of reviewers have taken a look then we'll merge and push a new version to Maven Central.
Thank you so much @steve-perkins !! I'll have one of our guys try out the PR that supports namespaces ASAP.
Agreed, will review that PR and drop mine, did not see that the branch added Namespace support before.
Is there a way to specify root
as the namespace? I understand leaving it blank points to root
but looking for a bit more deliberate setting.
Enterprise Vault supports namespaces https://www.vaultproject.io/docs/enterprise/namespaces/index.html which would be useful to support in the driver. It's just an extra header to the HTTPS request of "X-Vault-Namespace: your-namespace".
Unfortunately I think it would need some adding of public API, although could be done in a compatible way. Would be tempted to add an optional Namespace to the VaultConfig so it could be set once for all vault use. Would also need (in my use-case) to pass in an optional namespace to the Auth.loginByAppRole() method as my auth is attached in a different namespace to everything else.
Does anyone have feedback on the desirability of the above changes? Can knock up a MR but very happy to take direction on this. I don't have strong opinions about where/how to do it, but would like to use this driver with my Enterprise Vault :)