• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..25-Jul-2019-

.gitignoreH A D25-Jul-201912 32

LICENSEH A D25-Jul-201915.5 KiB364265

MakefileH A D25-Jul-20192 KiB6341

README.mdH A D25-Jul-20196 KiB166122

backend.goH A D25-Jul-2019898 5341

cli.goH A D25-Jul-20191.3 KiB6754

go.modH A D25-Jul-2019309 129

go.sumH A D25-Jul-201913.5 KiB143142

path_config.goH A D25-Jul-20195.9 KiB236196

path_login.goH A D25-Jul-20195.9 KiB223182

README.md

1# Vault Plugin: Centrify Identity Platform Auth Backend
2
3This is a standalone backend plugin for use with [Hashicorp Vault](https://www.github.com/hashicorp/vault).
4This plugin allows for Centrify Identity Platform users accounts to authenticate with Vault.
5
6**Please note**: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
7
8## Quick Links
9    - Vault Website: https://www.vaultproject.io
10    - Main Project Github: https://www.github.com/hashicorp/vault
11
12## Getting Started
13
14This is a [Vault plugin](https://www.vaultproject.io/docs/internals/plugins.html)
15and is meant to work with Vault. This guide assumes you have already installed Vault
16and have a basic understanding of how Vault works.
17
18Otherwise, first read this guide on how to [get started with Vault](https://www.vaultproject.io/intro/getting-started/install.html).
19
20To learn specifically about how plugins work, see documentation on [Vault plugins](https://www.vaultproject.io/docs/internals/plugins.html).
21
22## Security Model
23
24The current authentication model requires providing Vault with an OAuth2 Client ID and Secret, which can be used to make authenticated calls to the Centrify Identity Platform API.  This token is scoped to allow only the required APIs for Vault integration, and cannot be used for interactive login directly.
25
26## Usage
27
28This plugin is currently built into Vault and by default is accessed
29at `auth/centrify`. To enable this in a running Vault server:
30
31```sh
32$ vault auth-enable centrify
33Successfully enabled 'centrify' at 'centrify'!
34```
35
36Before the plugin can authenticate users, both the plugin and your cloud service tenant must be configured correctly.  To configure your cloud tenant, sign in as an administrator and perform the following actions.  Please note that this plugin requires the Centrify Cloud Identity Service version 17.11 or newer.
37
38### Create an OAuth2 Confidential Client
39
40An OAuth2 Confidentical Client is a Centrify Directory User.
41
42- Users -> Add User
43  - Login Name: vault_integration@<yoursuffix>
44  - Display Name: Vault Integration Confidential Client
45  - Check the "Is OAuth confidentical client" box
46  - Password Type: Generated (be sure to copy the value, you will need it later)
47  - Create User
48
49### Create a Role
50
51To scope the users who can authenticate to vault, and to allow our Confidential Client access, we will create a role.
52
53- Roles -> Add Role
54  - Name: Vault Integration
55  - Members -> Add
56    - Search for and add the vault_integration@<yoursuffix> user
57    - Additionally add any roles/groups/users who should be able to authenticate to vault
58  - Save
59
60### Create an OAuth2 Client Application
61- Apps -> Add Web Apps -> Custom -> OAuth2 Client
62- Configure the added application
63  - Description:
64    - Application ID: "vault_io_integration"
65    - Application Name: "Vault Integration"
66  - General Usage:
67    - Client ID Type -> Confidential (must be OAuth client)
68  - Tokens:
69    - Token Type: JwtRS256
70    - Auth methods: Client Creds + Resource Owner
71  - Scope
72    - Add a single scope named "vault_io_integration" with the following regexes:
73      - usermgmt/getusersrolesandadministrativerights
74      - security/whoami
75  - User Access
76    - Add the previously created "Vault Integration" role
77  - Save
78
79### Configuring the Vault Plugin
80
81As an administrative vault user, you can read/write the centrify plugin configuration using the /auth/centrify/config path:
82
83```sh
84$ vault write auth/centrify/config service_url=https://<tenantid>.my.centrify.com client_id=vault_integration@<yoursuffix> client_secret=<password copied earlier> app_id=vault_io_integration scope=vault_io_integration
85```
86
87### Authenticating
88
89As a valid user of your tenant, in the appropriate role for accessing the Vault Integration app, you can now authenticate to the vault:
90
91```sh
92$ vault auth -method=centrify username=<your username>
93```
94
95Your vault token will be valid for the length of time defined in the app's token lifetime configuration (default 5 hours).
96
97## Developing
98
99If you wish to work on this plugin, you'll first need
100[Go](https://www.golang.org) installed on your machine
101(version 1.9+ is *required*).
102
103For local dev first make sure Go is properly installed, including
104setting up a [GOPATH](https://golang.org/doc/code.html#GOPATH).
105Next, clone this repository into
106`$GOPATH/src/github.com/hashicorp/vault-plugin-auth-centrify`.
107You can then download any required build tools by bootstrapping your
108environment:
109
110```sh
111$ make bootstrap
112```
113
114To compile a development version of this plugin, run `make` or `make dev`.
115This will put the plugin binary in the `bin` and `$GOPATH/bin` folders. `dev`
116mode will only generate the binary for your platform and is faster:
117
118```sh
119$ make
120$ make dev
121```
122
123Put the plugin binary into a location of your choice. This directory
124will be specified as the [`plugin_directory`](https://www.vaultproject.io/docs/configuration/index.html#plugin_directory)
125in the Vault config used to start the server.
126
127```json
128...
129plugin_directory = "path/to/plugin/directory"
130...
131```
132
133Start a Vault server with this config file:
134```sh
135$ vault server -config=path/to/config.json ...
136...
137```
138
139Once the server is started, register the plugin in the Vault server's [plugin catalog](https://www.vaultproject.io/docs/internals/plugins.html#plugin-catalog):
140
141```sh
142$ vault write sys/plugins/catalog/centrify \
143        sha_256=<expected SHA256 Hex value of the plugin binary> \
144        command="vault-plugin-auth-centrify"
145...
146Success! Data written to: sys/plugins/catalog/centrify
147```
148
149Note you should generate a new sha256 checksum if you have made changes
150to the plugin. Example using openssl:
151
152```sh
153openssl dgst -sha256 $GOPATH/vault-plugin-auth-centrify
154...
155SHA256(.../go/bin/vault-plugin-auth-centrify)= 896c13c0f5305daed381952a128322e02bc28a57d0c862a78cbc2ea66e8c6fa1
156```
157
158Enable the auth plugin backend using the Centrify auth plugin:
159
160```sh
161$ vault auth-enable -plugin-name='centrify' plugin
162...
163
164Successfully enabled 'plugin' at 'centrify'!
165```
166