Closed realrill closed 4 years ago
VladRassokhin
commented
5 years ago I don't see from docs how "Vault Enterprise Namespaces" affects Vault REST API, so I'd say that there's nothing special to support.
What are you expecting from 'Vault Enterprise Namespaces' support?
realrill
commented
5 years ago Let me explain.
In Vault Enterprise you can create Namespaces. These namespaces like virtual vault servers on the same machine where the default namespace runs.
For example (Use the root token):
On Vault Server - with enterprise licence - create a ns namespace.
Then follow the approle creation steps:
vault auth enable -namespace=ns approle
vault policy write -namespace=ns realrill-policy -<<EOF
path "test*" {
capabilities = ["read"]
}
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
EOF
vault write -namespace=ns auth/approle/role/realrill-role token_ttl=30m token_max_ttl=24h policies="realrill-policy"
vault read -namespace=ns auth/approle/role/realrill-role/role-id
vault write -f -namespace=ns auth/approle/role/realrill-role/secret-idUse the got role-id and secret-id in the below command
vault write -namespace=ns auth/approle/login role_id=<role-id> secret_id=<secret-id>
With these steps you have created a token for Vault's ns namespace.
Try to generate the token without the -namespace=ns. It throws error, the same error that I get when I try to connect to Vault Server from the plugin with the Vault ns Namespace role-id and secret-id.
Error writing data to auth/approle/login: Error making API request.
URL: PUT http://<demoVaultIP>:8200/v1/auth/approle/login
Code: 400. Errors:
* invalid role ID@VladRassokhin Does the above example make sense to you what I'm expecting from Vault Enterprise Namespace support?
realrill
commented
5 years ago Hi @VladRassokhin Any update or feedback to this?
realrill
commented
5 years ago Hi @VladRassokhin Can I get any feedback related to this ticket?
digi691
commented
5 years ago I don't see from docs how "Vault Enterprise Namespaces" affects Vault REST API, so I'd say that there's nothing special to support.
What are you expecting from 'Vault Enterprise Namespaces' support?
@VladRassokhin
I believe the problem here is that the plugin don't support the X-Vault-Namespace header which is fine when looking at the docs (https://www.vaultproject.io/docs/enterprise/namespaces/index.html). Though the plugin is hard coding the auth in the beginning of the 'AppRole auth endpoint path' input at server/src/main/kotlin/org/jetbrains/teamcity/vault/server/VaultConnector.kt. So even when the user defines his namespace structure in the AppRole auth endpoint like:
ns1/ns2/auth/approle
The Post errors out like below:
I/O error on POST request for "http://localhost:8200/v1/auth/ns1/ns2/auth/approle/login
If the plugin is not going to support the X-Vault-Namespace header to use relative paths. Then the plugin should take the full path of the AppRole auth endpoint and not infer 'auth' at the beginning of the 'AppRole auth endpoint path'. From the example above, I believe the 'AppRole auth endpoint path' input should be able to handle the following input:
ns1/ns2/auth/approle
-Chris
Hi all,
Correct me if I'm wrong but I cannot find anything related to the subject. Can anyone confirm that this plugin compatible with Vault Enterprise Namespaces?
I saw #10 issue but that didn't solve my problem and looks like that is for multiple sessions with default Vault namespace.