I am trying to implement database authentication for MongoDB using Vault. I decided to go with Static role as only one user per DB is needed and Vault rotates the user's password, but in case of Dynamic role every time when credentials are requested a new dynamic user is created.
My doubt is Java has something called SecretLeaseContainer which creates a new dynamic user only when the credentials of the previous dynamic user is expired. This is my understanding of Java's SecretLeaseContainer. Correct me if I am wrong.
But in Python's hvac library there is no such implementation like Java's SecretLeaseContainer. Is there any similar implementation in Python's hvac library like the afore mentioned Java's SecretLeaseContainer?
Related
I've been reading up on how to implement Role Based Access Control (RBAC), with the intention to implement it within a Spring based microservice API.
It appears that when implementing RBAC, you should check permissions, rather than roles. The following posts seem to agree on this point:
Role Based Access Control (RBAC) cares about permission or roles?
https://hackernoon.com/role-based-access-control-design-for-micro-services-dg1233079
https://softwareengineering.stackexchange.com/questions/299729/role-vs-permission-based-access-control
https://heap.io/blog/engineering/structure-permissions-saas-app
The selected answer in the 1st link above says "Spring security and many other prominent access control mechanisms propagate this security anti-pattern" [of checking roles instead of permissions]. Although there are only 3 upvotes so I'm not sure if this statement would be widely accepted.
So I'd like to know, how best to approach RBAC within a Spring based API, so that I check permissions rather than roles.
Take the following scenario:
A user in my app can have the Role PLAN_MANAGER, which may have the permissions VIEW_PLAN, CREATE_PLAN, EDIT_PLAN, DELETE_PLAN. Within our app, we would allow some users to change permissions associated with roles, so for example, an admin user may edit the permissions on the PLAN_MANAGER role to remove the DELETE_PLAN permission.
Within spring, I would have a deletePlan method. I want to know how to allow users to execute this method only if they have the DELETE_PLAN permission. It looks like PreAuthorize checks are the standard way to check if a user has access to a method in spring, however it seems that hasRole, rather than hasPermision, is most commonly used with the PreAuthorize annotation.
I can't find examples/tutorials of using a PreAuthorize check that only references the permission, instead it seems to be more common to reference the role (however, the following example shows using both role and permission check https://www.dontpanicblog.co.uk/2012/08/19/protecting-service-methods-with-spring-security-annotations/).
Most examples I find seem to just do something like:
#PreAuthorize("hasRole('PLAN_MANAGER'))
But if I use that approach, and an admin user removes the DELETE_PLAN permission from the PLAN_MANAGER role, then we would incorrectly allow the user to execute deletePlan.
So should I instead be using something like:
#PreAuthorize("hasPermission('DELETE_PLAN'))
So that even if the permissions associated with roles change, this check will always be valid for this particular method, and the code won't need to be changed. So new roles could be added to the app with the DELETE_PLAN permission, and we wouldn't need to add new explicit role checks in the code for those new roles.
Thanks.
Update
I've found what looks to be someone else trying to do the same thing as me here https://stackoverflow.com/a/60251931, and it looks like he's put together a repo at https://github.com/savantly-net/spring-role-permissions
There's an example shown in the readme, pasted below, which looks to be exactly what I want to achieve - so it seems I need to use hasAuthority rather than hasRole or hasPermission (hasPermission requires an object target argument, which I don't want to specify, as that would seem to go beyond RBAC into ABAC, I simply want to specify a permission/privilege, which is why hasAuthority looks appropriate):
#PreAuthorize("hasAuthority('CREATE')")
#RequestMapping("/create")
public String create() {...}
(also found an older post detailing another custom approach which looks to allow for checks on privilege/permission rather than role - https://stackoverflow.com/a/22612076/14147607)
On a JHipster application, I've added a custom authentication provider, to verify user and password of Active Directory users that have login inside. This custom component implements AuthenticationProvider, and inside "authenticate" method, istance an ActiveDirectoryLdapAuthenticationProvider object to get authentication and verify presense on specifical groups.
With a simple A.D. test environment I've no problem, but in production, my company ask me to bind a service account, and I cannot found any method to setup manager-ad and password. How can I get around this problem?
On Spring documentation I've read the phrase "There is no concept of a "manager" user."
My app use 5.1.8.RELEASE
Thanks!
Looking at the code, it validates the user's credentials by binding using the user's credentials. That's really the only way to validate credentials.
I assume, since it has already made a successful bind, it just continues on making whatever search it needs to.
There might be a way to use different credentials for reading the groups, but it all depends on what your current code looks like. But there really is little point in doing this. You have to bind using the user's credentials to validate their credentials. So you may as well continue using that same connection.
I have a requirement where I need to use role based access to service methods. I have restful services and i use spring-data to interact with MongoDB.
There are some of the restrictions that I have. I deal with a document in DB called "Organization". In each organization, I know who are the Admins. I do not have a repository of users who can access the services.
So the only way I can enforce some access based rules is to check if the logged in user is one of the admin's configured for each organization and then allow the user to access the methods.
Should I think of applying Spring security in this case? Otherwise will a simple check on user against the configured admins in the database document help? Can I make this check at a single point so that I can apply it to service methods based on my use case needs.
Please provide your suggestions / thoughts on how to go about this.
If you use Spring Security your rest methods can take advantage of a passed-in authenticated Principal object (example here) whereupon you can do whatever extra validation desired (such as checking if the admin is good for the given organization requested, etc.) There are many other parameters also available, perhaps allowing for this org checking to be done once and stored in the session object.
I have a custom hash that I apply to passwords so that it matches the legacy .net membership provider hashing. I apply the hash clientside when registering users, but the forgot password link, since it is done by parse without the has, creates an issue.
Can I create a cloud code method or event handler that can capture password reset events so that I can hash it?
I tried creating my own forgot password cloud code function but it seems to not be able set the password since there is no logged in user during the cloud code function request.
If you want to manipulate user objects while in Cloud Code, use the Parse.useMasterKey() method to override the normal security settings. Although I can't really recommend trying to manipulate the password yourself of course.
I want to use the Grails Spring Security Plugin in my app. It creates a domain class which represents a user. My research on the internet showed me that it is not good to put all the data in this class because it's loaded all the time.
My simple solution to this would be to pack the data in an additional class and then asocciate it in the security user class. Is this a good way?
It's not "loaded all the time", it's loaded when you authenticate. The username, password, and role names are used to build the Authentication instance that's stored in the HTTP session. This is checked to see if you have access rights for various URLs.
But it can make sense to partition the data into a security-related user class and an associated profile class as #Gregg describes.
You can use a custom userDetailsService implementation to cache data from the User class in the Authentication to avoid having to repeatedly load the whole thing from the database; see http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/11%20Custom%20UserDetailsService.html
Yes, that is a good approach. I've often used a Profile class to attach additional User profile data. I've also added additional properties directly to the User class. It probably depends on how much additional data you're talking about.