Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PoC] Provide storage backend for HashiCorp Vault #128

Open
tiran opened this issue Mar 15, 2017 · 10 comments
Open

[PoC] Provide storage backend for HashiCorp Vault #128

tiran opened this issue Mar 15, 2017 · 10 comments

Comments

@tiran
Copy link
Member

tiran commented Mar 15, 2017

We like to show how to integrate Custodia with existing secrets storage solution such as HashiCorp Vault or other solutions a mentioned at https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-management-2017-c82ec9136a3d . Vault from HashiCorp is one of the well-known and established backends.

You can use https://github.com/latchset/custodia.ipa as a template for a HC Vault plugin.

@Alan-R
Copy link

Alan-R commented Jul 6, 2017

I'm interested in this, and think I'll wind up needing it. Might wind up writing it. I'll keep in touch. Presumably this would use the HVAC Python API.

@tiran
Copy link
Member Author

tiran commented Aug 7, 2017

@Alan-R we don't have any resources to work on a HashiCorp Vault plugin in the near future. But that doesn't have to stop you. Custodia is extensible and you can easily write your own external plugin. I opened #223 to document how to write a plugin.

@Alan-R
Copy link

Alan-R commented Aug 7, 2017 via email

@Alan-R
Copy link

Alan-R commented Aug 9, 2017 via email

@simo5
Copy link
Member

simo5 commented Aug 9, 2017 via email

@Alan-R
Copy link

Alan-R commented Aug 10, 2017 via email

@simo5
Copy link
Member

simo5 commented Aug 10, 2017 via email

@simo5
Copy link
Member

simo5 commented Aug 10, 2017

Eh of course open() -> connect() above.

@Alan-R
Copy link

Alan-R commented Aug 10, 2017

Thanks much for showing me how that exploit works. Anything you can do to shorten that interval is good of course. But it sounds like that's all you can really do - except verify that the userid and argument list of of the requestor matches that which Docker claims that it is. That information is "up to date" at that time. That increases the amount of information they have to know in order to fool you. They have to do it when they initially start, and when the request is made. It's likely they will fail a lot on the way to succeeding. If anyone looks at the audit/security logs that will stand out. Of course, it's not certain that they'll fail a lot, and it's not certain that anyone will look at the logs. Sadly, in many places, it's highly unlikely that anyone will notice.

@simo5
Copy link
Member

simo5 commented Aug 10, 2017

Nodding on all your remarks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants