Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

Commit

Permalink
Merge pull request #6 from Nike-Inc/feature/configurable_token_ttl
Browse files Browse the repository at this point in the history
Make the Vault token ttl configurable
  • Loading branch information
fieldju authored Dec 12, 2016
2 parents 060bc03 + 3f0910e commit 57dc36a
Show file tree
Hide file tree
Showing 3 changed files with 76 additions and 28 deletions.
80 changes: 58 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,64 @@ That will setup the default policy and generate a token for CMS and output:

export VAULT_ADDR="http://localhost:8200"
export VAULT_TOKEN="<token>"

## Configuration

### Configurable Properties

There are a few parameters that need to be configured for CMS to run properly, they are defined in this table.

property | required | notes
--------------------------- | -------- | ----------
JDBC.url | Yes | The JDBC url for the mysql db
JDBC.username | Yes | The JDBC user name for the mysql db
JDBC.password | Yes | The JDBC JDBC.password for the mysql db
root.user.arn | Yes | The arn for the root AWS user, needed to make the KMS keys deletable.
admin.role.arn | Yes | The arn for an AWS user, needed to make the KMS keys deletable.
cms.role.arn | Yes | The arn for the Instance profile for CMS instances, so they can admin KMS keys that they create.
cms.admin.group | Yes | Group that user can be identified by to get admin privileges, currently this just enables users to access `/v1/stats` see API.md
cms.auth.connector | Yes | The user authentication connector implementation to use for user auth.
cms.user.token.ttl.override | No | By default user tokens are created with a TTL of 1h, you can override that with this param
cms.iam.token.ttl.override | No | By default IAM tokens are created with a TTL of 1h, you can override that with this param

For local dev see `Running CMS Locally`.

For deployed environments they are configured via the CLI, which will generate a props file and stuff it into S3 encrypted with KMS.

cerberus --debug \
-e demo \
-r us-west-2 \
create-cms-config \
--admin-group cerberus-admins \
-P cms.auth.connector=com.nike.cerberus.auth.connector.onelogin.OneLoginAuthConnector \
-P auth.connector.onelogin.api_region=us \
-P auth.connector.onelogin.client_id=$ONE_LOGIN_CLIENT_ID \
-P auth.connector.onelogin.client_secret=$ONE_LOGIN_CLIENT_SECRET \
-P auth.connector.onelogin.subdomain=nike

See [Creating an environment](http://engineering.nike.com/cerberus/docs/administration-guide/creating-an-environment) for more information.

CMS will download the props file at startup time and load the props into Guice.

### User Authentication

#### Auth Connector Interface

The User authentication contract is defined by the [AuthConnector](https://github.com/Nike-Inc/cerberus-management-service/blob/master/src/main/java/com/nike/cerberus/auth/connector/AuthConnector.java) interface.

The only included implementation of this interface targets
OneLogin. We expect to implement more connectors in the near future.

##### OneLogin Auth Connector

property | required | notes
------------------------------------- | -------- | ----------
auth.connector.onelogin.api_region | Yes | `us` or `eu`
auth.connector.onelogin.client_id | Yes | The OneLogin API client id
auth.connector.onelogin.client_secret | Yes | The OneLogin API client secret
auth.connector.onelogin.subdomain | Yes | Your orgs OneLogin subdomain [xxxxx].onelogin.com

**Assumption: The current implementation looks up group membership for a user via the member_of field on the getUserById API response.**

## Running CMS Locally

Expand Down Expand Up @@ -72,28 +130,6 @@ You'll need a few pieces of information before you can run the application:
cms.auth.connector=<YOUR AUTH CONNECTOR CLASS>
```

## User Authentication Configuration

## Auth Connector Interface

The User authentication contract is defined by the `AuthConnector` interface. The only included implementation of this interface targets
OneLogin. We expect to implement more connectors in the near future.

#### OneLogin Auth Connector

The following properties must be defined:

# Auth Connector
cms.auth.connector=com.nike.cerberus.auth.connector.onelogin.OneLoginAuthConnector

# OneLogin Auth Connector Properties
auth.connector.onelogin.api_region=<us or eu>
auth.connector.onelogin.client_id=<OneLogin API client ID>
auth.connector.onelogin.client_secret=<OneLogin API client secret>
auth.connector.onelogin.subdomain=<your orgs onelogin subdomain>

**Assumption: The current implementation looks up group membership for a user via the member_of field on the getUserById API response.**

### From the IDE

Simply run `com.nike.cerberus.Main`. The following VM arguments should be set:
Expand Down
2 changes: 1 addition & 1 deletion gradle.properties
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@
# limitations under the License.
#

version=0.6.2
version=0.7.0
groupId=com.nike.cerberus
artifactId=cms
22 changes: 17 additions & 5 deletions src/main/java/com/nike/cerberus/service/AuthenticationService.java
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import com.google.inject.name.Named;
import com.nike.backstopper.exception.ApiException;
import com.nike.cerberus.auth.connector.AuthConnector;
import com.nike.cerberus.auth.connector.AuthData;
Expand All @@ -52,9 +55,6 @@
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpStatus;

import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.util.List;
Expand All @@ -72,6 +72,10 @@ public class AuthenticationService {

public static final String ADMIN_GROUP_PROPERTY = "cms.admin.group";

public static final String USER_TOKEN_TTL_OVERRIDE = "cms.user.token.ttl.override";

public static final String IAM_TOKEN_TTL_OVERRIDE = "cms.iam.token.ttl.override";

public static final String LOOKUP_SELF_POLICY = "lookup-self";

public static final String DEFAULT_TOKEN_TTL = "1h";
Expand All @@ -87,6 +91,14 @@ public class AuthenticationService {
private final String adminGroup;
private final DateTimeSupplier dateTimeSupplier;

@Inject(optional=true)
@Named(USER_TOKEN_TTL_OVERRIDE)
String userTokenTTL = DEFAULT_TOKEN_TTL;

@Inject(optional=true)
@Named(IAM_TOKEN_TTL_OVERRIDE)
String iamTokenTTL = DEFAULT_TOKEN_TTL;

@Inject
public AuthenticationService(final SafeDepositBoxDao safeDepositBoxDao,
final AwsIamRoleDao awsIamRoleDao,
Expand Down Expand Up @@ -167,7 +179,7 @@ public IamRoleAuthResponse authenticate(IamRoleCredentials credentials) {
final VaultTokenAuthRequest tokenAuthRequest = new VaultTokenAuthRequest()
.setPolicies(policies)
.setMeta(meta)
.setTtl(DEFAULT_TOKEN_TTL)
.setTtl(iamTokenTTL)
.setNoDefaultPolicy(true);

final VaultAuthResponse authResponse = vaultAdminClient.createOrphanToken(tokenAuthRequest);
Expand Down Expand Up @@ -252,7 +264,7 @@ private VaultAuthResponse generateToken(final String username, final Set<String>
.setDisplayName(username)
.setPolicies(policies)
.setMeta(meta)
.setTtl(DEFAULT_TOKEN_TTL)
.setTtl(userTokenTTL)
.setNoDefaultPolicy(true);

return vaultAdminClient.createOrphanToken(tokenAuthRequest);
Expand Down

0 comments on commit 57dc36a

Please sign in to comment.