Uploaded image for project: 'Trapperkeeper'
  1. Trapperkeeper
  2. TK-293

tk-auth should support x.509 extensions for authentication instead of just certname

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: PE 2016.2.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Sub-team:
    • Story Points:
      5
    • Sprint:
      Server Jade 2016-03-23, Server Jade 2016-04-06, Server Jade 2016-04-20

      Description

      Summary

      tk-auth should allow auth rules that match on CSR attributes (aka SSL Extensions) instead of just certname. tk-auth's service should accept a mapping of OID to short names that can be used to define the auth rules.

      In Scope

      • Ability to provide the tk-auth service with a map of OID -> shortname
      • Ability to set an :allow or :deny stanza to use a map of shortnames (or raw OIDs) to values instead of just a hostname
      • Extracting a certificate's extensions as part of tk-auth middleware and translating them from OID -> shortname using the provided mapping
      • Affordance for an empty mapping
      • Failing fast if a given extension key in the auth rules can't be found as a shortname in the OID -> shortname mapping AND isn't a valid OID

      Out of Scope

      • Supporting any shortnames outside of what tk-auth's service gets in the passed mapping. This includes puppet's shortnames. Such things should be passed into consumers of tk-auth (like puppet server)
      • Wildcard/pattern matching on extension values

      Bonus Round

      There is still dead code detritus leftover from when tk-auth was originally adopted from the community. This should be cleaned up as needed to implement this new functionality.

      Design

      The following are all valid values for allow or deny in the auth conf.
      Please note that the puppet shortnames used are not supported by tk-auth
      natively but must be passed in.

      # classic
      "node.foo.com"
       
      # simple csr attr case
      {attrs: {pp_role: compile_master}}
       
      # complex csr attr case
      {attrs: {pp_role: [compile_master, console],
               pp_environment: pe_inf}}
       
      # mix
      ["node.foo.com",
       "node.bar.com",
       {attrs: {pp_role: compile_master}}]
      
      

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  erik Erik Dasher
                  Reporter:
                  cbarker Chris Barker
                  QA Contact:
                  Erik Dasher
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  20 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support