[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16782869#comment-16782869 ] Kevin Risden commented on KNOX-1687: PR now contains looking up tokens in the local alias service and integrates with the RemoteAliasService through the service loader from KNOX-1789. > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > Attachments: KNOX-1687.patch, KNOX-1687.patch > > Time Spent: 1h 50m > Remaining Estimate: 0h > > Hashicorp Vault remote alias service provider > * [https://www.vaultproject.io/] > * [https://www.vaultproject.io/api/libraries.html#java] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16777306#comment-16777306 ] Kevin Risden commented on KNOX-1687: PR updated based on KNOX-1789 > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > Attachments: KNOX-1687.patch, KNOX-1687.patch > > Time Spent: 1h > Remaining Estimate: 0h > > Hashicorp Vault remote alias service provider > * [https://www.vaultproject.io/] > * [https://www.vaultproject.io/api/libraries.html#java] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16774187#comment-16774187 ] Kevin Risden commented on KNOX-1687: Need to refactor RemoteAliasService - KNOX-1789 > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > Attachments: KNOX-1687.patch, KNOX-1687.patch > > Time Spent: 40m > Remaining Estimate: 0h > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772368#comment-16772368 ] Kevin Risden commented on KNOX-1687: Pushed changes to handle: * Check error handling if permission denied/etc from Vault * Handle arbitrary prefix to be nested down inside an existing KV path (ie: /clusters/cluster1/services/knox/...) Looking at integrating with RemoteAliasService. Looks like need to extract the ZK specific handling first. > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > Attachments: KNOX-1687.patch, KNOX-1687.patch > > Time Spent: 40m > Remaining Estimate: 0h > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16768618#comment-16768618 ] Kevin Risden commented on KNOX-1687: TODO - Integrate with RemoteAliasService to be able to tie everything together. > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > Attachments: KNOX-1687.patch, KNOX-1687.patch > > Time Spent: 20m > Remaining Estimate: 0h > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16768616#comment-16768616 ] Kevin Risden commented on KNOX-1687: Reference: [https://docs.spring.io/spring-vault/docs/2.1.1.RELEASE/reference/html/#vault.core.authentication] Uploaded patch that supports Token and Kubernetes authentication. Provides a mechanism for making this configurable as well. Worked around issues with delete in a versioned KV to ensure that there is value for every key. List returns keys that have been soft deleted. > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > Attachments: KNOX-1687.patch, KNOX-1687.patch > > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16748906#comment-16748906 ] Kevin Risden commented on KNOX-1687: Currently wired up to use TokenAuthentication. Looking into how to best make this configurable. Spring client supports lots of different authentication mechanisms. > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > Attachments: KNOX-1687.patch > > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16748754#comment-16748754 ] Kevin Risden commented on KNOX-1687: Attached a WIP patch that shows we can test this with testcontainers in Docker. If Docker is not installed/running, the test is skipped. Still need to iron out the piping for this to get it picked up. > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > Attachments: KNOX-1687.patch > > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16745284#comment-16745284 ] Kevin Risden commented on KNOX-1687: Hmmm well my message was entirely unclear. BetterCloud is the maker of one of the Java clients that Hashicorp links to. The BetterCloud Java client only supports the v1 endpoint for Vault and not v2. v2 endpoint is currently default so it was painful to get started. Spring client supports v1 and v2 as well as more authentication mechanisms. I haven't figured out the credentials yet just been playing around with the clients to see what and how they work. > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16740877#comment-16740877 ] Larry McCay commented on KNOX-1687: --- Interesting. What does the Spring client do for this and what credentials will be used? What is the cloud library and how is it better if it hasn't been kept up to date? :) > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16740786#comment-16740786 ] Kevin Risden commented on KNOX-1687: Spring client has the features necessary to make this work. The better cloud library hasn't been kept up to date. Looking at hooking this into the alias service. > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16737474#comment-16737474 ] Kevin Risden commented on KNOX-1687: Need to think about how to authenticate to vault itself from Knox. Currently for Zookeeper we use kerberos which isn't an option for Vault. > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16736195#comment-16736195 ] Kevin Risden commented on KNOX-1687: Have Vault running in Docker locally so can try testing connecting Knox to it and see what happens. > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
