Skip to content

Releases: fordth/credentials-fetcher

Initial Release

22 Sep 21:39
@fordth fordth
v1.0.0
90a6fd4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Initial Release Latest
Latest

BEHAVIORAL CHANGES:

  • CF_CRED_FILE:

      This release adds the ability to access a TGT file via file system when a credential specification file is supplied via CF_CRED_FILE during runtime.
  The gRPC functionality remains the same. The new functionality is an addition to when the CF_CRED_FILE is set.
  The purpose is to have containers mount to where the TGT is placed and therefore can use the ticket for authentication.
  The new startup process is as follows:
  	1. Upon startup check if an environment variable CF_CRED_FILE has been defined.
  	2. Parse the credential spec file located at CR_CRED_FILE
  	3. Get the TGT from the Domain Controller and store it at:  /var/credentials-fetcher/krbdir/credspec/<service-account-name>/krb5cc
  	4. Generate the metadata file for the new TGT, this giving visibility to the thread that handled TGT refreshes
  	5. Continue the startup process as normal (spawn threads, etc...)

  • Ticket Renewal:

      Currently a thread runs every 10 minutes to check if the ticket expiration is within an hour.
  The problem with this logic is that token refresh expiration expires much longer after the ticket itself expires.
  This behavior I assume is ok for services that are already connected when ticket expired but any new connections requesting the TGT could
  potentially use an expired ticket because the refresh token hasn't expired yet. I kept the existing logic for gRPC generated TGTs but if the TGT was built
  from the CF_CRED_FILE then I have new logic implemented. The new logic doesn't check when the refresh token expires, but instead checks for
  when the ticket expires and will renew it if it expires within an hour. This will keep the TGT valid for any new connections.

  • Assembly Versioning:

      Added new switch --version to display the current version of credentials-fetcher

FILE CHANGES:

  • .gitignore (Added):

      For .vscode, build, obj, etc...

  • /CMakeLists.txt:

      Added assembly versioning using new --version switch
  Added environment variable CF_CRED_FILE to credential-fetcher.service upon MAKE

  • /README.md:

      Description for new optional runtime environment variable CF_CRED_FILE

  • common/daemon.h:

      A new string property called "origin" has been added to the krb_ticket_info structure.
  The "origin" property allow to track where the tickets keytab originate from (CF_CRED_FILE "file" or gRPC "grpc")
  Currently the "origin" property is used decide how ticket expiration occurs as described in detail above.

  CreateKerberosLease: Assigns property krb_ticket_info->origin = "grpc"
  AddNonDomainJoinedKerberosLease: Assigns property krb_ticket_info->origin = "grpc"

  New function ProcessCredSpecFile()
  		If an environment variable CF_CRED_FILE is set to a credential spec file, then upon process startup process the credential file and treat it the same as if it came in from a domain joined gRPC CreateKerberosLease call.
  		Set the krb_ticket_info->origin = "file"
  		Processing in this new function is the same as the gRPC equivalent lease calls:
  				1) Parse the credential file
  				2) Get the Kerberos ticket
  				3) Create metadata file for later refreshing

  • auth/kerberos/src/krb.cpp

      New function get_ticket_expiration()
  As described in detail above, this new method parses the TGT for the ticket expiration instead of the refresh token expiration.
  Currently this new method of checking ticket expiration is only performed on tickets originating from "file" not "grpc"
  "grpc" originating tickets parse TGTs file for renewal using the original logic (Refresh token expiration).
  This modified logic can be found in the function is_ticket_ready_for_renewal() that determine what process to follow based on the ticket "origin" property.

  • common/daemon.h

      Added new property std::string "origin" to class krb_ticket_info. This property was explained early.

  • config/src/config.cpp

      Updated –help argument output
  Added –version support

  • daemon/src/daemon.cpp

      Added support for credential file processing upon startup. This occurs just before the the gRPC and ticket expiration threads are started.

  • metadata/src/metadata.cpp

      Added writing/reading new metadata field “origin”

  • renewal/src/renewal.cpp

      Modified call to is_ticket_ready_for_renewal() to take a parameter creds_fetcher::krb_ticket_info* krb_ticket_info instead of std::string
  This was needed so I can access the new origin property and make a decision then how the klist output should be parsed.

What's Changed

  • Conditional compilation for Ubuntu by @smhmhmd in #1
  • Pull in grpc and krb5 compilation into credentials-fetcher by @smhmhmd in #2
  • Contains docker file for Ubuntu 20.04 to support the latest CMake refactoring by @fordth in #4
  • Dockerfile and cmake changes for ubuntu-20.04 by @smhmhmd in #3
  • Added credentials specifications file support by @fordth in #5

New Contributors

Full Changelog: https://github.com/fordth/credentials-fetcher/commits/v1.2

Contributors

fordth and smhmhmd
Assets 2
Loading