custodia.git, branch kube Unnamed repository; edit this file 'description' to name the repository. Increase logging output of Kubernetes plugins 2015-11-11T16:37:15+00:00 Christian Heimes cheimes@redhat.com 2015-11-06T12:04:58+00:00 38fa5ecd780a6b00b70a450c4716320865ef4227 Signed-off-by: Christian Heimes <cheimes@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Add authz plugin that verify kubelets requests 2015-11-11T16:37:15+00:00 Simo Sorce simo@redhat.com 2015-10-14T00:53:00+00:00 d3c907cb21416a23e8f736f156ea807f6d1d00c5 This patch adds a special authorization plugin that verifies the identity of the node as well as checking that the node is authorized to make a request on behalf of the pod for which it is asking secrets. If all checks pass the path is rewritten to point to the proper secrets namespace for the pod. By rewriting paths, in case of catastrophic failure of the plugin no secret can be found as the path matches nothing. Signed-off-by: Simo Sorce <simo@redhat.com> 
This patch adds a special authorization plugin that verifies the
identity of the node as well as checking that the node is authorized
to make a request on behalf of the pod for which it is asking secrets.

If all checks pass the path is rewritten to point to the proper secrets
namespace for the pod. By rewriting paths, in case of catastrophic
failure of the plugin no secret can be found as the path matches nothing.

Signed-off-by: Simo Sorce <simo@redhat.com>
Add Authentication module for Kubernetes node 2015-11-11T16:37:15+00:00 Simo Sorce simo@redhat.com 2015-10-13T19:38:42+00:00 0abd2a6c4ac66b905430d3cad95c1b2a23bda40f This authentication module connects to docker to figure out the pod name associated to the PID requesting the service by ay of discovering the container id via the process cgroup namespace. The pod name as set in the metadata label named 'io.kubernetes.pod.name' is then used as the 'remote_user' attribute on the request. Signed-off-by: Simo Sorce <simo@redhat.com> 
This authentication module connects to docker to figure out the pod
name associated to the PID requesting the service by ay of discovering
the container id via the process cgroup namespace.

The pod name as set in the metadata label named 'io.kubernetes.pod.name'
is then used as the 'remote_user' attribute on the request.

Signed-off-by: Simo Sorce <simo@redhat.com>
Custodia client logging 2015-11-11T16:35:45+00:00 Christian Heimes christian@python.org 2015-11-11T14:25:50+00:00 d944441d2a6d0c8619e61ba7ceff16d6b147a76b custodia.client library now logs requests and responses. The auditfile argument of setup_logging() can be set to None to configure client logging without audit file. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
custodia.client library now logs requests and responses.

The auditfile argument of setup_logging() can be set to None to
configure client logging without audit file.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Add support in the client for the kem message type 2015-11-07T01:55:12+00:00 Simo Sorce simo@redhat.com 2015-10-27T18:47:35+00:00 3b7eed15c3f9da7381d240a762b0e557dd18ce96 This allows to easily use end-to-end encrypted requests and replies to fetch secrets. Signed-off-by: Simo Sorce <simo@redhat.com> 
This allows to easily use end-to-end encrypted requests and replies
to fetch secrets.

Signed-off-by: Simo Sorce <simo@redhat.com>
Refactor CustodiaClient interface 2015-11-07T01:55:12+00:00 Simo Sorce simo@redhat.com 2015-10-27T18:39:01+00:00 2780854f1e206563b7451087984f729d0b748d35 Use the term secret and not key to refer to .. well .. secrets. Store the last response instead of returning it to the caller, this way there is a consistent way to get access to it and only as needed. Change the name to CustodiaSimpleClient in preparaion for extending the support to other Secret types. Signed-off-by: Simo Sorce <simo@redhat.com> 
Use the term secret and not key to refer to .. well .. secrets.

Store the last response instead of returning it to the caller, this
way there is a consistent way to get access to it and only as needed.

Change the name to CustodiaSimpleClient in preparaion for extending the
support to other Secret types.

Signed-off-by: Simo Sorce <simo@redhat.com>
Fix KEM messages handling when storing data. 2015-11-07T01:55:12+00:00 Simo Sorce simo@redhat.com 2015-10-26T16:36:13+00:00 b1b848ff0974c0643e57af810e4a215bf437f0cf The payload was not being set with the provided value when a PUT operation token was parsed. This resulted in attempting to store an empty value instead of the provided secret. Signed-off-by: Simo Sorce <simo@redhat.com> 
The payload was not being set with the provided value when a PUT
operation token was parsed. This resulted in attempting to store
an empty value instead of the provided secret.

Signed-off-by: Simo Sorce <simo@redhat.com>
Fix authorization stack to call all modules 2015-11-07T01:55:11+00:00 Simo Sorce simo@redhat.com 2015-10-26T16:33:59+00:00 dc6101a5acad72a22ab911bb77a594f58d220ee1 All authorization modules need to be executed, we cannot bail at the first one that returns a positive answer. Some authz modules attach data to the requst as a side effect and they need to be run even if others also authorize access. Additionally if a later module returns an explicit Deny, then that must override any previous granted access. Signed-off-by: Simo Sorce <simo@redhat.com> 
All authorization modules need to be executed, we cannot bail at the
first one that returns a positive answer. Some authz modules attach
data to the requst as a side effect and they need to be run even if
others also authorize access.
Additionally if a later module returns an explicit Deny, then that
must override any previous granted access.

Signed-off-by: Simo Sorce <simo@redhat.com>
Do not use a private name for public variables 2015-11-07T01:55:10+00:00 Simo Sorce simo@redhat.com 2015-11-07T01:36:06+00:00 ae7eb106d77f6ba61a0aaf14e773e06fa0bb99b7 In the server case auditlog is used in the pipeline too, so make it public. Signed-off-by: Simo Sorce <simo@redhat.com> 
In the server case auditlog is used in the pipeline too, so make it public.

Signed-off-by: Simo Sorce <simo@redhat.com>
Silence broad-except warnings 2015-11-07T01:52:46+00:00 Simo Sorce simo@redhat.com 2015-11-07T01:34:05+00:00 b7ae9722867f1550a94a759c27ba14f470b5dc75 Signed-off-by: Simo Sorce <simo@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>