BEHAVIORAL CHANGES:
-
CF_CRED_FILE:
This release adds the ability to access a TGT file via file system when a credential specification file is supplied via CF_CRED_FILE during runtime. The gRPC functionality remains the same. The new functionality is an addition to when the CF_CRED_FILE is set. The purpose is to have containers mount to where the TGT is placed and therefore can use the ticket for authentication. The new startup process is as follows: 1. Upon startup check if an environment variable CF_CRED_FILE has been defined. 2. Parse the credential spec file located at CR_CRED_FILE 3. Get the TGT from the Domain Controller and store it at: /var/credentials-fetcher/krbdir/credspec/<service-account-name>/krb5cc 4. Generate the metadata file for the new TGT, this giving visibility to the thread that handled TGT refreshes 5. Continue the startup process as normal (spawn threads, etc...)
-
Ticket Renewal:
Currently a thread runs every 10 minutes to check if the ticket expiration is within an hour. The problem with this logic is that token refresh expiration expires much longer after the ticket itself expires. This behavior I assume is ok for services that are already connected when ticket expired but any new connections requesting the TGT could potentially use an expired ticket because the refresh token hasn't expired yet. I kept the existing logic for gRPC generated TGTs but if the TGT was built from the CF_CRED_FILE then I have new logic implemented. The new logic doesn't check when the refresh token expires, but instead checks for when the ticket expires and will renew it if it expires within an hour. This will keep the TGT valid for any new connections.
-
Assembly Versioning:
Added new switch --version to display the current version of credentials-fetcher
FILE CHANGES:
-
.gitignore (Added):
For .vscode, build, obj, etc...
-
/CMakeLists.txt:
Added assembly versioning using new --version switch Added environment variable CF_CRED_FILE to credential-fetcher.service upon MAKE
-
/README.md:
Description for new optional runtime environment variable CF_CRED_FILE
-
common/daemon.h:
A new string property called "origin" has been added to the krb_ticket_info structure. The "origin" property allow to track where the tickets keytab originate from (CF_CRED_FILE "file" or gRPC "grpc") Currently the "origin" property is used decide how ticket expiration occurs as described in detail above. CreateKerberosLease: Assigns property krb_ticket_info->origin = "grpc" AddNonDomainJoinedKerberosLease: Assigns property krb_ticket_info->origin = "grpc" New function ProcessCredSpecFile() If an environment variable CF_CRED_FILE is set to a credential spec file, then upon process startup process the credential file and treat it the same as if it came in from a domain joined gRPC CreateKerberosLease call. Set the krb_ticket_info->origin = "file" Processing in this new function is the same as the gRPC equivalent lease calls: 1) Parse the credential file 2) Get the Kerberos ticket 3) Create metadata file for later refreshing
-
auth/kerberos/src/krb.cpp
New function get_ticket_expiration() As described in detail above, this new method parses the TGT for the ticket expiration instead of the refresh token expiration. Currently this new method of checking ticket expiration is only performed on tickets originating from "file" not "grpc" "grpc" originating tickets parse TGTs file for renewal using the original logic (Refresh token expiration). This modified logic can be found in the function is_ticket_ready_for_renewal() that determine what process to follow based on the ticket "origin" property.
-
common/daemon.h
Added new property std::string "origin" to class krb_ticket_info. This property was explained early.
-
config/src/config.cpp
Updated –help argument output Added –version support
-
daemon/src/daemon.cpp
Added support for credential file processing upon startup. This occurs just before the the gRPC and ticket expiration threads are started.
-
metadata/src/metadata.cpp
Added writing/reading new metadata field “origin”
-
renewal/src/renewal.cpp
Modified call to is_ticket_ready_for_renewal() to take a parameter creds_fetcher::krb_ticket_info* krb_ticket_info instead of std::string This was needed so I can access the new origin property and make a decision then how the klist output should be parsed.
What's Changed
- Conditional compilation for Ubuntu by @smhmhmd in #1
- Pull in grpc and krb5 compilation into credentials-fetcher by @smhmhmd in #2
- Contains docker file for Ubuntu 20.04 to support the latest CMake refactoring by @fordth in #4
- Dockerfile and cmake changes for ubuntu-20.04 by @smhmhmd in #3
- Added credentials specifications file support by @fordth in #5
New Contributors
Full Changelog: https://github.com/fordth/credentials-fetcher/commits/v1.2