Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PPLAT-814: rebase access tokens on 0.14.2 #15

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

PPLAT-814: rebase access tokens on 0.14.2 #15

wants to merge 13 commits into from

Conversation

bhowe34
Copy link

@bhowe34 bhowe34 commented May 8, 2024

Notable changes:

  • adds a WAL for assignment IDs so they can be rolled back on failure
  • permanently deletes applications when leases are revoked

vinay-gopalan and others added 13 commits September 16, 2022 13:56
@vinay-gopalan
Release commit for v0.14.0
87847e5
@jasonodonnell @davidadeleon
Implement WAL rollback mechanism for Role Assignments (hashicorp#110) (
54213ae 
…hashicorp#115)

* Implement Role Assignment WAL and rollback

* Improve error handling around unassignment of non-existent role assignment ID

* Better error handling in test, and guarding against nil or empty values

* Add clarity to rollback log message, and check if there were no Azure Roles associated with Role

* Further improve error handling, fix failing test, add guard against size mismatch between number of roles and assignmentIDs, parameterize Resource Group in test

* Fix rollback test, and clean up left over debug line

* Add missing error check for spRevoke during test, use errors.New instead of Errorf for AzureRoles and assignmentIDs check

* Add warning about resources potentially still existing if WAL has expired

Co-authored-by: davidadeleon <[email protected]>
@jasonodonnell
Release commit for v0.14.1
e594089
@austingebauer
Backport v0.14.x: only run periodic func on active instance in primar…
d448b51 
…y cluster or local mount (hashicorp#150) (hashicorp#155)
@austingebauer
Release commit for v0.14.2
c8d27cd
@mdgreenfield @bhowe34
PROD-347: Add access token endpoint
a291999 
Adds the <mountPath>/token/<role> endpoint to return an Oauth access
token. This access token is not leased because these tokens have a TTL
of 60m and are not revokable upstream.

Caveats:
- The <mountPath>/roles/<role> backend will create a separate App/SP
  with the same logic as the <mountPath>/roles/<role> creds. So, a
  unified App/Service Principal is not used between the various
  endpoints for a given role.
- No changes were made to how deleting a role revokes the cloud
  resources used by the <mountPath>/creds/<role> endpoint.
- An "existing Service Principal" still creates an App password as
  opposed to a service principal password.
@bhowe34
initial implementation
ee79a4d
@bhowe34
remove unused test file
01619e7
@bhowe34
fix add SP password request body
41c2ca6
@bhowe34
refactor periodic func and add debug logging
0c83412
@bhowe34
update vault API and SDK packages
6cc99ae
@bhowe34
remove potentially large log
9019a84
@bhowe34
Merge pull request #16 from DataDog/bhowe34/auto-renew-passwords
9c8569b 
PPLAT-1532: auto renew passwords
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bhowe34 @vinay-gopalan @jasonodonnell @austingebauer @mdgreenfield