Vault authentication planned ?

[LordFPL]

Hello, We use more and more Vault (Hashicorp) in our company, and I wonder if it was planned an integration of this type? I am starting to test authentications under readonlyrest, and am a bit embarrassed on password side with the two main ones:

• login / pass in in ror = leads the configuration in hard side application client, and a change in two place when one wishes to make the rotation of password (ror + client).
• authentication via ldap = a clear client-side password and an account creation on a directory just to access an application (but a rotation of password doesn't need a restart of ror).

Vault on the other hand, from my point of view, will allow:

• dynamic recovery of a client-side token (for example, via an approle).
• access control side ror via vault with list of token associated vault policies.
• potentially, use of the content of policies for indices allowed or not.

For now ldap authentication will in any case allow us to do many things (thank you for this plugin! :)), but I'll be curious to know your opinion on this possible evolution.

Thx in advance.

[sscarduzio]

I'm pretty sure with a minimum of devops skills you can wrap ROR deployment and hook the decoded secrets into environmental variables, which are by the way supported in readonlyrest.yml.

What do you think?

[sscarduzio]

@LordFPL or did you mean implementing vault as a runtime authentication connector like we have LDAP?

[LordFPL]

Hello,

Sorry for late answer. Yes, i mean a runtime authentication like ldap. I actually run elasticsearch cluster with nomad, and all config is already taken via vault (readonlyrest.yml and elasticsearch config file are generated via dynamic vars). My main "problem" (it's not a very critical problem ;)) is the two main auth in readonlyrest are not totaly satisfying me... login/pass in conf is too static... and ldap is mainly (imho) for "humans". I already use vault for other usage, and i love the approle method for apps, and all the possible auditing with it. That's why i ask your opinion about this future feature :)

Thx for your time and all you already done :)

[sscarduzio]

Got it, and it's quite interesting idea. Too bad I didn't find any asynchronous vault library for Java. 🤦🏻‍♂️

[LordFPL]

In my case, i can find a solution with a watch for change in vault... and regenerate the readonlyrest config... but if i understand well, hot reload is not possible ?

For information, i read a post on hashicorp page about an integration with JWT (https://www.hashicorp.com/blog/secure-kubernetes-deployments-vault-banzai-cloud)... but i'm not a develloper... and i don't understand well JWT tokens...

In all case, thx for reading :)