Open Never77 opened 8 months ago
The provider can obviously be improved, if you're able to collaborate on this, feel free ! I will take into account any suggestion and implement it as is can. I didn't put any test because i can only test this code at the office. If someone have any solution to leverage a CyberARK AIM instance using a VM or Docker, don't hesitate to contact me, i will add the tests then.
Thanks for the contribution @Never77! We're going to have the same issue working on this as you without having access to a test instance, but if we figure out an easy way to test locally we'll let you know. Did you happen to look into the possibility of leveraging this library for this integration? I don't know anything about it myself so I was wondering if you had done any research into existing libraries before implementing this.
I made some tests with this library and had pretty bad performances. Then i tried to made as simple as possible to tests if it was coming from the library itself or the CyberARK instance. It was CyberARK instance that had a bad setup (we have about 20 seconds to wait before having the response). I didn't made any changes to the code after that. I can make some tests and try to put pyAIM for a better handling. I will check that again and let you know when i have my results.
The API call that takes 20 seconds to reply is the search one. After that it's instant.
I'd love to help test this one on our lab instance. But I haven't done testing from new feature branches on Nautobot before. :( Can you give me some high level steps on how I could get this feature on our lab instance?
If you have everything needed in your lab (Nautobot 2.x minimum and CyberARK AIM with the API reachable), you can install the plugin with source for example by cloning/downloading the repository from the branch i created and install the source in the Nautobot virutal environment like that :
source /path/to/nautobot/venv/bin/activate
cd /path/to/the/cloned/branch/uncompressed
pip install -e .
nautobot-server post_upgrade
Don't forgot to use the PLUGINS_CONFIG dictionnary i have prepared in the README.md file of the project and give an account that can reach a vault in CyberARK. Try to store an account in a vault that the user can read and get it from Nautobot by creating a secret group. If you want to check by hand directly in CLI, i can give you the Python code you can run in the Nautobot python shell also (it's a little bit hard to find it in my mind but the example exists in the documentation).
Can you check if I understand the steps correctly? I also have a few questions later since I might be using cyber ark in a different way...
Steps
Clone repo, on branch add-cyberark-provider (Is the link correct?) git clone https://github.com/Never77/nautobot-app-secrets-providers/tree/feature/add-cyberark-provider
Create a virtual env and activate it source /path/to/nautobot/venv/bin/activate
pip install -e .
pip install nautobot-secrets-providers[cyberark]
update PLUGINS_CONFIG dictionary
# In your nautobot_config.py
PLUGINS = ["nautobot_secrets_providers"]
PLUGINS_CONFIG = {
"nautobot_secrets_providers": {
"cyberark": {
"url": os.getenv("NAUTOBOT_CYBERARK_URL", None),
"token": os.getenv("NAUTOBOT_CYBERARK_TOKEN", None),
"username": os.getenv("NAUTOBOT_CYBERARK_USERNAME", None),
"password": os.getenv("NAUTOBOT_CYBERARK_PASSWORD", None),
}
}
}
Perform "nautobot-server post_upgrade"
We're using cyber ark privilege cloud rest api where we get a token using our client id and client secret. And that token is only valid for retrieving passwords for 5 minutes. Is this what we're supposed to use for the token in the PLUGINS_CONFIG dict?
Yes it's quite the good way to do it, just install Nautobot before installing the plugin. The link is the good one. More precisely:
python -m venv nautobot
source nautobot/bin/activate
pip install nautobot # Ensure here Nautobot is installed with version 2 or more
You'll need to do a git clone or downloading the ZIP archive by hand and put in the server using SCP or any file transfer protocol like FTP/sFTP.
Then you can go inside and install the code (make sure you are in my branch to test the CyberARK provider)
git clone https://github.com/Never77/nautobot-app-secrets-providers.git
cd nautobot-app-secrets-providers
git checkout feature/add-cyberark-provider
pip install -e .
You must install the plugin this way because the package with my code is not published yet, since it needs to be merged to be published then.
Here you have perfectly understand the steps to configure the plugin. You'll need to put some Environment Variables on you rmachine with the user that launch the Nautobot server, in a dirty way you can put directly your variables in the dict to test. Like this for example:
PLUGINS_CONFIG = {
"nautobot_secrets_providers": {
"cyberark": {
"url": "https://cyberark..example.com",
"token": "decinablesprewad",
"username": "test",
"password": "test", # Either you put the token or the user/passwd here, if you put everything it will use the token by default
}
}
}
You can finally do the post-upgrade operation and restart nautobot to take into account the modification you made and try the provider.
For the moment you can use that token yes, i am looking into using the pyAIM library like suggested by @gsnider2195. Sorry for the inconvenience, we use an on prem server that doesn't have that setup. We use a token that can be valid forever.
Thanks @Never77. Unfortunately I ran out of time and I would need to resume this next week when I come back. I'll start to plan this for our lab instance.
No problem, meanwhile i'll make my search on pyAIM and looks after the comments of this PR.
Hi @nathanielfernandez, were you able to make any progress on trying this out?
Hi Glenn, sorry I haven't tested yet. At this point I have to test if our account would work with the pyaim module. We're using python's requests module to obtain a token that expires after 5 minutes from generation. I'm trying to talk with our IAM team to see if someone else has tried this module, and whether we could use a test token that doesn't expire like Never77's.
Seems there are different versions of cyber ark. And there are some differences with how we're set up. The one we're using on our end is privilege cloud (SaaS) and not in on-prem. We also don't have the Central Credential Provider (CCP) license. Due to this I would probably not be able to use pyaim on my end to test.
I believe this current code is for CyberArk's Privileged Access Manager (PAM) product. It does not have a Python SDK, hence needing to send API requests directly.
They also have a newer product called CyberArk Conjur. This product does include a Python SDK: Open Source version docs: https://docs.cyberark.com/conjur-open-source/Latest/en/Content/Integrations/python.htm?tocpath=Developer%7CClient%20libraries%7C_____5 Enterprise version docs: https://docs.cyberark.com/conjur-enterprise/latest/en/Content/Integrations/python.htm?tocpath=Developer%7CClient%20libraries%7C_____5 The enterprise and open source versions look like they can have the same code; there's no difference between them.
We should probably handle both CyberArk products in this secrets provider.
Closes: #26
What's Changed
This PR adds the CyberARK AIM provider to the nautobot-secrets-providers package and let the user retrieve a Password from the PWVA of a self-hosted CyberARK instance.
To Do