Howto map a TLS cert login to an identity entity
349 views
Skip to first unread message
Thomas Müller
Apr 26, 2018, 2:10:23 AM4/26/18
to Vault
Hi
After reading https://www.vaultproject.io/docs/secrets/identity/index.html and https://www.vaultproject.io/api/secret/identity/index.html I don't know how I can map a TLS cert login to an identity.
I can observe that a identity entity and identity entity alias automatically get created when a TLS cert login happens. The name of the entity-alias is some longish number which i don't know that it represents.
What I know beforehand is the CN name of the cert - this is what i like to use to create a mapping. Is this possible?
In general if somebody has examples howto add/manage entities and entity aliases I would be very keen to have a look at them.
- Thomas
After reading https://www.vaultproject.io/docs/secrets/identity/index.html and https://www.vaultproject.io/api/secret/identity/index.html I don't know how I can map a TLS cert login to an identity.
I can observe that a identity entity and identity entity alias automatically get created when a TLS cert login happens. The name of the entity-alias is some longish number which i don't know that it represents.
What I know beforehand is the CN name of the cert - this is what i like to use to create a mapping. Is this possible?
In general if somebody has examples howto add/manage entities and entity aliases I would be very keen to have a look at them.
- Thomas
Jeff Mitchell
Apr 26, 2018, 10:14:01 AM4/26/18
to Vault
Hi Thomas,
The CN of the cert is used as the alias. Any chance you can provide the client cert (not private key) and output of the lookup of the entity alias?
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/eccd182a-e305-43d4-96f0-b4ee1e8cdede%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Thomas Mueller
Apr 26, 2018, 11:27:31 AM4/26/18
to vault...@googlegroups.com
Hey Jeff
The CN of the cert is used as the alias. Any chance you can provide the client cert (not private key) and output of the lookup of the entity alias?
unfortunatly I'm now out of office for 2 weeks. But what I remember
is, that after vault login -method cert the output contained
the common name (something like token_meta_common_name = $FQDN).
Therefore the common name has to be read correctly.
I think i'll setup some vault on my notebook to do some testing and then report back.
- Thomas
I think i'll setup some vault on my notebook to do some testing and then report back.
- Thomas
Jeff Mitchell
Apr 26, 2018, 11:30:09 AM4/26/18
to Vault
Hi Thomas,
Metadata embedded into tokens isn't the same as the alias used for Identity. No rush though -- we'll figure it out when you're back!
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/813e83cf-c3a8-966c-1b5c-1d270098f846%40chaschperli.ch.
Thomas Mueller
Apr 27, 2018, 1:13:16 AM4/27/18
to vault...@googlegroups.com
Hey jeff
I've created some vault playground https://github.com/vinzent/vault-playground (config.hcl, bootstrap.sh, env, init-auth-cert.sh). In reality its an MS PKI but here i'm using the easy-rsa scripts.
The CN of the cert is used as the alias. Any chance you can provide the client cert (not private key) and output of the lookup of the entity alias?
The client cert use in the example below:
https://github.com/vinzent/vault-playground/blob/master/pki/issued/client.local.crt
Here is the output the commands i used to query the auto-created entity/entity-alias mappings:
$ VAULT_TOKEN="" ./vault login -method cert
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token c0b6ebe3-f664-4c33-8b28-52e3d9dbb4ac
token_accessor bd3c2e36-6bc6-74f4-2db9-49aec133fa95
token_duration 1h
token_renewable true
token_policies [default]
token_meta_subject_key_id 6b:45:30:be:45:f0:3c:14:f6:20:d0:3e:2b:ab:cf:94:49:89:71:37
token_meta_authority_key_id 66:d2:12:c1:6f:fd:04:6e:82:b2:38:c0:9e:3f:46:b2:32:6e:63:e7
token_meta_cert_name easyrsa
token_meta_common_name client.local
$ ./vault list identity/entity-alias/id
Keys
----
3e708e90-6c13-d5cb-2285-5581c6803af0
$ ./vault read identity/entity-alias/id/3e708e90-6c13-d5cb-2285-5581c6803af0
Key Value
--- -----
canonical_id edf4d514-b83d-99b4-dce3-0f87a04bf0cc
creation_time 2018-04-26T16:04:27.338728401Z
id 3e708e90-6c13-d5cb-2285-5581c6803af0
last_update_time 2018-04-26T16:04:27.338728401Z
merged_from_canonical_ids <nil>
metadata <nil>
mount_accessor auth_cert_6789a1c8
mount_path auth/cert/
mount_type cert
name 3
I've learned now that the entity-alias name attribute is the cert serial number. the client.local.crt was the third signed cert and easy-rsa just counts from 1 up (what is IMHO no good pratice). Anyway this means i would need to know the serial number from every cert to create mappings ?
Now trying to pre-create the mapping. I deleted the auto-created entries and then:
$ ./vault write identity/entity name=host-client.local
Key Value
--- -----
aliases <nil>
id dadf932f-9d67-9ffb-a3d8-008be657451e
creating the entity-alias - first difficulty: how would I now the mount_accessor value without logging in with some cert first? I would have known mount_path and mount_type but not the mount_accessor but these are not params of entity-alias.
$ ./vault write identity/entity-alias name=3 canonical_id=host-client.local mount_accessor=auth_cert_6789a1c8
Error writing data to identity/entity-alias: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/identity/entity-alias
Code: 400. Errors:
* invalid entity ID
Bit weird to get the error "invalid entity id" if there is no entity id passed in the request. Does it mean canonical_id == entitiy id ? I somehow expected canonical id to be the entity name. Wouldn't then entity_id be a better name?
$ ./vault write identity/entity-alias name=3 canonical_id=dadf932f-9d67-9ffb-a3d8-008be657451e mount_accessor=auth_cert_6789a1c8
Key Value
--- -----
canonical_id dadf932f-9d67-9ffb-a3d8-008be657451e
id 9057fbbd-3226-8480-f088-4ee37350e4a9
$ VAULT_TOKEN="" ./vault login -method cert
...
Login worked and no new entity/entity-alias created when listing entity/id and entitiy-alias/id :-)
Trying to lookup. I stumbled upon alias_name - I didn't make the connection to entity-alias right away.
$ ./vault write identity/lookup/entity alias_name=3 alias_mount_accessor=auth_cert_6789a1c8
Key Value
--- -----
aliases [map[creation_time:2018-04-27T04:49:02.416267859Z metadata:<nil> mount_accessor:auth_cert_6789a1c8 mount_path:auth/cert/ mount_type:cert name:3 canonical_id:dadf932f-9d67-9ffb-a3d8-008be657451e id:9057fbbd-3226-8480-f088-4ee37350e4a9 last_update_time:2018-04-27T04:49:02.416267859Z merged_from_canonical_ids:<nil>]]
creation_time 2018-04-27T04:42:21.976301486Z
direct_group_ids []
disabled false
group_ids []
id dadf932f-9d67-9ffb-a3d8-008be657451e
inherited_group_ids []
last_update_time 2018-04-27T04:49:02.416264224Z
merged_entity_ids <nil>
metadata <nil>
name host-client.local
policies <nil>
Here is the output the commands i used to query the auto-created entity/entity-alias mappings:
$ VAULT_TOKEN="" ./vault login -method cert
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token c0b6ebe3-f664-4c33-8b28-52e3d9dbb4ac
token_accessor bd3c2e36-6bc6-74f4-2db9-49aec133fa95
token_duration 1h
token_renewable true
token_policies [default]
token_meta_subject_key_id 6b:45:30:be:45:f0:3c:14:f6:20:d0:3e:2b:ab:cf:94:49:89:71:37
token_meta_authority_key_id 66:d2:12:c1:6f:fd:04:6e:82:b2:38:c0:9e:3f:46:b2:32:6e:63:e7
token_meta_cert_name easyrsa
token_meta_common_name client.local
$ ./vault list identity/entity-alias/id
Keys
----
3e708e90-6c13-d5cb-2285-5581c6803af0
$ ./vault read identity/entity-alias/id/3e708e90-6c13-d5cb-2285-5581c6803af0
Key Value
--- -----
canonical_id edf4d514-b83d-99b4-dce3-0f87a04bf0cc
creation_time 2018-04-26T16:04:27.338728401Z
id 3e708e90-6c13-d5cb-2285-5581c6803af0
last_update_time 2018-04-26T16:04:27.338728401Z
merged_from_canonical_ids <nil>
metadata <nil>
mount_accessor auth_cert_6789a1c8
mount_path auth/cert/
mount_type cert
name 3
I've learned now that the entity-alias name attribute is the cert serial number. the client.local.crt was the third signed cert and easy-rsa just counts from 1 up (what is IMHO no good pratice). Anyway this means i would need to know the serial number from every cert to create mappings ?
Now trying to pre-create the mapping. I deleted the auto-created entries and then:
$ ./vault write identity/entity name=host-client.local
Key Value
--- -----
aliases <nil>
id dadf932f-9d67-9ffb-a3d8-008be657451e
creating the entity-alias - first difficulty: how would I now the mount_accessor value without logging in with some cert first? I would have known mount_path and mount_type but not the mount_accessor but these are not params of entity-alias.
$ ./vault write identity/entity-alias name=3 canonical_id=host-client.local mount_accessor=auth_cert_6789a1c8
Error writing data to identity/entity-alias: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/identity/entity-alias
Code: 400. Errors:
* invalid entity ID
Bit weird to get the error "invalid entity id" if there is no entity id passed in the request. Does it mean canonical_id == entitiy id ? I somehow expected canonical id to be the entity name. Wouldn't then entity_id be a better name?
$ ./vault write identity/entity-alias name=3 canonical_id=dadf932f-9d67-9ffb-a3d8-008be657451e mount_accessor=auth_cert_6789a1c8
Key Value
--- -----
canonical_id dadf932f-9d67-9ffb-a3d8-008be657451e
id 9057fbbd-3226-8480-f088-4ee37350e4a9
$ VAULT_TOKEN="" ./vault login -method cert
...
Login worked and no new entity/entity-alias created when listing entity/id and entitiy-alias/id :-)
Trying to lookup. I stumbled upon alias_name - I didn't make the connection to entity-alias right away.
$ ./vault write identity/lookup/entity alias_name=3 alias_mount_accessor=auth_cert_6789a1c8
Key Value
--- -----
aliases [map[creation_time:2018-04-27T04:49:02.416267859Z metadata:<nil> mount_accessor:auth_cert_6789a1c8 mount_path:auth/cert/ mount_type:cert name:3 canonical_id:dadf932f-9d67-9ffb-a3d8-008be657451e id:9057fbbd-3226-8480-f088-4ee37350e4a9 last_update_time:2018-04-27T04:49:02.416267859Z merged_from_canonical_ids:<nil>]]
creation_time 2018-04-27T04:42:21.976301486Z
direct_group_ids []
disabled false
group_ids []
id dadf932f-9d67-9ffb-a3d8-008be657451e
inherited_group_ids []
last_update_time 2018-04-27T04:49:02.416264224Z
merged_entity_ids <nil>
metadata <nil>
name host-client.local
policies <nil>
Thomas Müller
Apr 27, 2018, 1:36:50 PM4/27/18
to Vault
Am Freitag, 27. April 2018 07:13:16 UTC+2 schrieb Thomas Müller:
Hey jeff
I've created some vault playground https://github.com/vinzent/vault-playground (config.hcl, bootstrap.sh, env, init-auth-cert.sh). In reality its an MS PKI but here i'm using the easy-rsa scripts.
The CN of the cert is used as the alias. Any chance you can provide the client cert (not private key) and output of the lookup of the entity alias?
func pathLoginAliasLookahead seems to use the common name
https://github.com/hashicorp/vault/blob/master/builtin/credential/cert/path_login.go#L54
but here in func pathLogin SerialNumber is used https://github.com/hashicorp/vault/blob/master/builtin/credential/cert/path_login.go#L102
But i don't really know what this code is doing. :-) Added an entity-alias with common-name as name
./vault write identity/entity-alias name=client.local canonical_id=dadf932f-9d67-9ffb-a3d8-008be657451e mount_accessor=auth_cert_6789a1c8
but it creates a new alias with the SN as name.
- Thomas
Jeff Mitchell
Apr 27, 2018, 1:48:43 PM4/27/18
to Vault
That's a bug!
Can you file a GitHub issue?
Thanks!
--Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/affa3bc5-590a-484e-8627-b10e759fb936%40googlegroups.com.
Thomas Mueller
Apr 27, 2018, 3:04:49 PM4/27/18
to vault...@googlegroups.com
On 04/27/2018 07:48 PM, Jeff Mitchell wrote:
> That's a bug!
>
> Can you file a GitHub issue?
- Thomas
Thomas Müller
May 4, 2018, 10:46:08 AM5/4/18
to Vault
Reply all
Reply to author
Forward
0 new messages