Class CubbyholeAuthentication
- All Implemented Interfaces:
AuthenticationStepsFactory
,ClientAuthentication
ClientAuthentication
implementation.
Cubbyhole authentication uses Vault primitives to provide a secured authentication
workflow. Cubbyhole authentication uses tokens
as primary login
method. An ephemeral token is used to obtain a second, login VaultToken
from
Vault's Cubbyhole secret backend. The login token is usually longer-lived and used to
interact with Vault. The login token can be retrieved either from a wrapped response or
from the data
section.
Wrapped token response usage
Create a Token
$ vault token-create -wrap-ttl="10m"
Key Value
--- -----
wrapping_token: 397ccb93-ff6c-b17b-9389-380b01ca2645
wrapping_token_ttl: 0h10m0s
wrapping_token_creation_time: 2016-09-18 20:29:48.652957077 +0200 CEST
wrapped_accessor: 46b6aebb-187f-932a-26d7-4f3d86a68319
Setup CubbyholeAuthentication
CubbyholeAuthenticationOptions options = CubbyholeAuthenticationOptions
.builder()
.initialToken(VaultToken.of("397ccb93-ff6c-b17b-9389-380b01ca2645"))
.wrapped()
.build();
CubbyholeAuthentication authentication = new CubbyholeAuthentication(options, restOperations);
Stored token response usage
Create a Token
$ vault token-create
Key Value
--- -----
token f9e30681-d46a-cdaf-aaa0-2ae0a9ad0819
token_accessor 4eee9bd9-81bb-06d6-af01-723c54a72148
token_duration 0s
token_renewable false
token_policies [root]
$ token-create -use-limit=2 -orphan -no-default-policy -policy=none
Key Value
--- -----
token 895cb88b-aef4-0e33-ba65-d50007290780
token_accessor e84b661c-8aa8-2286-b788-f258f30c8325
token_duration 0s
token_renewable false
token_policies [none]
$ export VAULT_TOKEN=895cb88b-aef4-0e33-ba65-d50007290780
$ vault write cubbyhole/token token=f9e30681-d46a-cdaf-aaa0-2ae0a9ad0819
Setup CubbyholeAuthentication
CubbyholeAuthenticationOptions options = CubbyholeAuthenticationOptions
.builder()
.initialToken(VaultToken.of("895cb88b-aef4-0e33-ba65-d50007290780"))
.path("cubbyhole/token")
.build();
CubbyholeAuthentication authentication = new CubbyholeAuthentication(options, restOperations);
Remaining TTL/Renewability
Tokens retrieved from Cubbyhole associated with a non-zero TTL start their TTL at the
time of token creation. That time is not necessarily identical with application
startup. To compensate for the initial delay, Cubbyhole authentication performs a
self lookup
for tokens associated
with a non-zero TTL to retrieve the remaining TTL. Cubbyhole authentication will not
self-lookup wrapped tokens without a TTL because a zero TTL indicates there is no TTL
associated.
Non-wrapped tokens do not provide details regarding renewability and TTL by just retrieving the token. A self-lookup will lookup renewability and the remaining TTL.
- Author:
- Mark Paluch
- See Also:
-
Constructor Summary
ConstructorDescriptionCubbyholeAuthentication
(CubbyholeAuthenticationOptions options, RestOperations restOperations) -
Method Summary
Modifier and TypeMethodDescriptionstatic AuthenticationSteps
Creates aAuthenticationSteps
for cubbyhole authentication givenCubbyholeAuthenticationOptions
.Get theAuthenticationSteps
describing an authentication flow.login()
Return aVaultToken
.
-
Constructor Details
-
CubbyholeAuthentication
public CubbyholeAuthentication(CubbyholeAuthenticationOptions options, RestOperations restOperations) - Parameters:
options
- must not be null.restOperations
- must not be null.
-
-
Method Details
-
createAuthenticationSteps
Creates aAuthenticationSteps
for cubbyhole authentication givenCubbyholeAuthenticationOptions
.- Parameters:
options
- must not be null.- Returns:
AuthenticationSteps
for cubbyhole authentication.- Since:
- 2.0
-
login
Description copied from interface:ClientAuthentication
Return aVaultToken
. This method can optionally log into Vault to obtain atoken
.- Specified by:
login
in interfaceClientAuthentication
- Returns:
- a
VaultToken
. - Throws:
VaultException
-
getAuthenticationSteps
Description copied from interface:AuthenticationStepsFactory
Get theAuthenticationSteps
describing an authentication flow.- Specified by:
getAuthenticationSteps
in interfaceAuthenticationStepsFactory
- Returns:
- the
AuthenticationSteps
describing an authentication flow.
-