How do I assign a client to a keygroup?
52 views
Skip to first unread message
Sasidhar Palaka
Aug 16, 2017, 10:03:19 PM8/16/17
to keywhiz-users
Hi folks,
I was evaluation keywhiz for some of my company's production use.
I tried to work with defaults and development setup that is available in keywhiz and keywhiz-fs git repos.
1) On a linux box, I brought up the server, which is listening on 4444 using "server/src/main/resources/keywhiz-development.yaml.h2"
2) I pointed the keywhiz.cli to this locally running server and adding a keygroup and a secret.
[palakas@heavenaive keywhiz]$ ~/kw.cli list secrets
password for 'stark':
favourite
[palakas@heavenaive keywhiz]$ ~/kw.cli list groups
pets
[palakas@heavenaive keywhiz]$
3) In a different window, I brought up keywhiz-fs using the default cert that's bundled in the repo
sudo ./keywhiz-fs --key fixtures/client.pem --ca fixtures/cacert.crt https://localhost:4444 /newsecrets
But there is nothing in /newsecrets
[palakas@heavenaive keywhiz-fs]$ cd /newsecrets/
[palakas@heavenaive newsecrets]$ ls -ltr
total 0
[palakas@heavenaive newsecrets]$
How do I assign keywhis-fs client to the keygroup "pets", so that it can read the "favourite" secret?
Thanks,
Sasi
I was evaluation keywhiz for some of my company's production use.
I tried to work with defaults and development setup that is available in keywhiz and keywhiz-fs git repos.
1) On a linux box, I brought up the server, which is listening on 4444 using "server/src/main/resources/keywhiz-development.yaml.h2"
2) I pointed the keywhiz.cli to this locally running server and adding a keygroup and a secret.
[palakas@heavenaive keywhiz]$ ~/kw.cli list secrets
password for 'stark':
favourite
[palakas@heavenaive keywhiz]$ ~/kw.cli list groups
pets
[palakas@heavenaive keywhiz]$
3) In a different window, I brought up keywhiz-fs using the default cert that's bundled in the repo
sudo ./keywhiz-fs --key fixtures/client.pem --ca fixtures/cacert.crt https://localhost:4444 /newsecrets
But there is nothing in /newsecrets
[palakas@heavenaive keywhiz-fs]$ cd /newsecrets/
[palakas@heavenaive newsecrets]$ ls -ltr
total 0
[palakas@heavenaive newsecrets]$
How do I assign keywhis-fs client to the keygroup "pets", so that it can read the "favourite" secret?
Thanks,
Sasi
Sasidhar Palaka
Aug 16, 2017, 10:06:57 PM8/16/17
to keywhiz-users
Nevermind.
I managed to assign it this way:
[palakas@heavenaive keywhiz]$ ~/kw.cli list clients
client
[palakas@heavenaive keywhiz]$
[palakas@heavenaive keywhiz]$
[palakas@heavenaive keywhiz]$ ~/kw.cli assign client --name client --group pets
[palakas@heavenaive keywhiz]$
and was able to see it on the keywhiz-fs's mount point.
Thanks,
Sasi.
I managed to assign it this way:
[palakas@heavenaive keywhiz]$ ~/kw.cli list clients
client
[palakas@heavenaive keywhiz]$
[palakas@heavenaive keywhiz]$
[palakas@heavenaive keywhiz]$ ~/kw.cli assign client --name client --group pets
[palakas@heavenaive keywhiz]$
and was able to see it on the keywhiz-fs's mount point.
Thanks,
Sasi.
Matthew McPherrin
Aug 16, 2017, 10:11:04 PM8/16/17
to Sasidhar Palaka, keywhiz-users
Assign the client and the secret in the group like
./kw.cli assign client --name yourclient --group pets
./kw.cli assign secret --name favourite --group pets
To find the name of your client to use in the first command you can do
./kw.cli list clients
--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-users+unsubscribe@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/c2f71d09-6c78-4305-a3c9-85f0ab30d711%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sasidhar Palaka
Aug 18, 2017, 10:46:19 AM8/18/17
to keywhiz-users, psas...@gmail.com
Thanks Matthew for a quick response.
A few quick follow-up questions.
1) Tenancy support. While trying things out, I didn't notice any support for Tenancy. Is this correct? For example, if Bob creates a key group called "pets" and assigns secrets and clients to it. And now, if Alice, another admin is added to the server. Alice can create a new key group "sports", assign secrets and clients. However, Alice can also add clients and secrets in "pets" as well. And Bob can modify "sports" as well. Is this how it is supposed to work? Or is there is feature to restrict users to certain key groups automatically? For example, is there any support for any user to come in and create a key group. But once a key group is created, only authorized admins for that key group can manipulate the keys and clients in that keygroup.
2) I am able to add new admins via "add-user" command on the server. Is there a way to see all the admins in the system? Do we need to go to the database for this?
3) Rotating secrets. I updated a secret. And keywhiz-fs didn't reflect the updated secret until I restarted the process. Is this expected?
4) Is there a UI for this project?
Thanks,
Sasi.
A few quick follow-up questions.
1) Tenancy support. While trying things out, I didn't notice any support for Tenancy. Is this correct? For example, if Bob creates a key group called "pets" and assigns secrets and clients to it. And now, if Alice, another admin is added to the server. Alice can create a new key group "sports", assign secrets and clients. However, Alice can also add clients and secrets in "pets" as well. And Bob can modify "sports" as well. Is this how it is supposed to work? Or is there is feature to restrict users to certain key groups automatically? For example, is there any support for any user to come in and create a key group. But once a key group is created, only authorized admins for that key group can manipulate the keys and clients in that keygroup.
2) I am able to add new admins via "add-user" command on the server. Is there a way to see all the admins in the system? Do we need to go to the database for this?
3) Rotating secrets. I updated a secret. And keywhiz-fs didn't reflect the updated secret until I restarted the process. Is this expected?
4) Is there a UI for this project?
Thanks,
Sasi.
./kw.cli list clients
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
Matthew McPherrin
Aug 19, 2017, 2:27:50 AM8/19/17
to Sasidhar Palaka, keywhiz-users
Tenancy: not built into keywhiz. The admin users have full access. We may add more features in the future. Most production keywhiz users have some external system for managing access control.
Keywhiz-fs is deprecated. It'll cache secrets for at least an hour. There's a dot file you can remove to clear the cache. The cache behavior in keysync handles updates better.
There is no UI.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-users+unsubscribe@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/58521316-4647-4d8c-8152-b3027626e119%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages