[
https://issues.apache.org/jira/browse/GUACAMOLE-2196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18082551#comment-18082551
]
David Bateman commented on GUACAMOLE-2196:
------------------------------------------
I hijacked to issues for another PR based on this code but additionally
allowing several other Vault secret engines. See
[#1214|https://github.com/apache/guacamole-client/pull/1214]
> OpenBao Vault Integration Extension
> -----------------------------------
>
> Key: GUACAMOLE-2196
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2196
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-vault
> Reporter: Subba Reddy Alamuru
> Priority: Major
> Labels: pull-request-available
>
> Add OpenBao Vault integration extension for Apache Guacamole
>
> *Description:*
>
> This enhancement adds a new vault integration extension that enables Apache
> Guacamole to retrieve connection credentials from OpenBao
> ([https://openbao.org/]) at connection time, eliminating the need for users
> to manually enter passwords.
>
> *Overview:*
>
> OpenBao is an open-source fork of HashiCorp Vault that provides secrets
> management capabilities. This extension integrates Guacamole with OpenBao's
> KV v2 secrets engine, automatically retrieving credentials when users connect
> to remote desktop sessions.
>
> *Key Features:*
> * Automatic credential retrieval from OpenBao KV v2 secrets engine
> * Token-based resolution using {{{}$\{OPENBAO_SECRET{}}}} and
> {{{}$\{GUAC_USERNAME{}}}} patterns
> * Simple configuration via guacamole.properties
> * Username-based secret path mapping
> * Secure token-based authentication with OpenBao API
> * Docker container support with {{OPENBAO_}} environment variable prefix
> *Implementation Details:*
>
> The extension follows the existing guacamole-vault-base framework pattern
> (similar to the KSM extension) and includes:
> * OpenBaoAuthenticationProvider - Main authentication provider
> * OpenBaoSecretService - Implements token resolution and secret retrieval
> * OpenBaoClient - HTTP client for OpenBao REST API communication
> * OpenBaoConfigurationService - Configuration management
> * Support classes for directory and attribute services
> *Configuration:*
>
> Required properties in guacamole.properties:
> {{openbao-server-url:
> [http://openbao.example.com:8200|http://openbao.example.com:8200/]}}
> {{openbao-token: s.YourTokenHere}}
> openbao-mount-path: guacamole-credentails
> *Usage Example:*
>
> When creating a connection, use token patterns:
> * Username: {{{}$\{GUAC_USERNAME{}}}}
> * Password: {{{}$\{OPENBAO_SECRET{}}}}
> The extension maps Guacamole usernames to OpenBao secret paths:
> {{Guacamole username: "john"}}
> {{OpenBao secret path: /v1/guacamole-credentails/data/john}}
> *Technical Specifications:*
> * Language: Java
> * HTTP Client: Apache HttpClient 5.2.1
> * JSON Parser: Gson 2.10.1
> * Secrets Engine: OpenBao KV v2
> * Connection Timeout: 5000ms (hardcoded)
> * Request Timeout: 10000ms (hardcoded)
> *Files Modified/Added:*
> * {{extensions/guacamole-vault/pom.xml}} - Added openbao module
> * {{extensions/guacamole-vault/modules/guacamole-vault-openbao/*}} - New
> extension module
> * {{guacamole-docker/build.d/010-map-guacamole-extensions.sh}} - Added
> Docker mapping
> *Testing Performed:*
> * Successful Maven build with Apache RAT license validation
> * Successful compilation with {{-Werror}} flag
> * Manual testing with OpenBao dev server
> * Verification of token resolution and credential retrieval
> *Security Considerations:*
> * Uses token-based authentication with OpenBao
> * Supports HTTPS for production deployments
> * Follows principle of least privilege for token permissions
> * Audit logging recommended via OpenBao audit backend
> *Documentation:*
>
> Comprehensive README.md included with:
> * Installation instructions
> * Configuration examples
> * Troubleshooting guide
> * Security best practices
> * Example deployment scenario
> *Compatibility:*
> * Guacamole Version: 1.6.x
> * OpenBao Version: 2.0.0+ (tested with 2.4.4)
> * Java Version: 21+
> *Benefits:*
> * Centralizes credential management in OpenBao
> * Reduces password fatigue for end users
> * Enables credential rotation without user intervention
> * Provides audit trail for credential access
> * Follows established Guacamole vault extension patterns
--
This message was sent by Atlassian Jira
(v8.20.10#820010)