vault-auth-file

command module

v0.1.0 Latest Latest Go to latest Published: Apr 4, 2018 License: Apache-2.0 Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gites/vault-auth-file

Links

Open Source Insights

README ¶

Vault Auth File

HashiCorp Vault authentication plugin for authenticating via Unix password like file.

Authentication workflow

User name and password are sent to Vault.
Vault calculate password hash and compare it to hash stored in password file.
If succesfull, policies listed in password file are applayed to user.
Valid token is returned to user.

Instalation

Set plugin_directory variable in Vault config.
```
plugin_directory="/opt/vault/plugins"
```
Copy vault-auth-file binary to plugin_directory.

Enable plugin in Vault.

SHA_256SUM=`sha256sum /opt/vault/plugins/vault-auth-file/vault-auth-file|cut -d' ' -f1`
vault write sys/plugins/catalog/vault-auth-file sha_256=$SHA_256SUM command=vault-auth-file
vault auth-enable -path=file -plugin-name vault-auth-file plugin

Configuration

Configuration endpoint is located at auth/file/config. Configuration options:

path (mandatory) - path to password file (example: /opt/vault/etc/password-file)
ttl (optional) - token TTL (example: 1h)
max_ttl (optional) - max token TTL (example: 2h)

Example:

vault write auth/file/config path=/opt/vault/etc/password-file ttl=1h max_ttl=2h

Password file format

Password file format is similar to Unix/Linux password file:

username:password_hash:coma,separated,policy,list

For now only SHA-512 hashes are supported.

Example:

wac:$6$.R4zGSdU$UQbNz4pV/AuDxD0Su6qfeVRaKz6gsq3w7zD8ywhFFpF7vbtiBxEFq49SbNI8kNGPmZyMzJIelUFvf12tUknjE0:ops,dev
wacek:$6$AwBd/60MqRG8M1V2$mXPJ39lAs26otEjY4YvObn7lEN2UeZgsEE6ueeN0zWS96QBJQuJLUhLmf1LuvCk7.MYpNik7tl5CEdqr.3Is80:ops,dev,netops
zenek:$6$jG6ZxCOkrXI$r4za9aGwb/VVw3nB3vRyvO2njCzgyKKCPxMn.GOYkW0/WaEMQENpbEufrX6CAQqlsIDr0x9DUsAhIS8bL3OGf1:ops,dev,netops
gites:$6$spfjUPN4$6ap3h.6Fac23HO/CFTZpQYdwvZ8zFflZkCQMWVO.13pCFEOjw8sjVljiIU6SgAhRDwwUBK1DYvHmBdoz/3wef0:ops
gites2:$6$EBzUEPlL$sLnPV5wKqvWloHNf7rfaO2bG1wxGl7zda6Jy/qU3ChLuIlK2EujMIaIdJfHhwbCst60IHqkFAiZXMVhFTQx3b1:ops

Login endpoint is located at auth/file/login. Login options:

username (mandatory) - username to login
password (mandatory) - password for that user

Example:

vault write auth/file/login username=wac password=lubieplacki      
Key                     Value                         
---                     -----                         
token                   ffff3192-87cf-c3c9-e3af-1a3373fb6017                                                 
token_accessor          9689189d-548c-3c06-6c81-fb621f9e404c                                                 
token_duration          1h0m0s                        
token_renewable         true                          
token_policies          [default dev ops]             
token_meta_username     "wac"                         
token_meta_woop         "woop.sh"

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
authfile

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL