github.com/pachyderm/pachyderm@v1.13.4/doc/docs/archived/vault.md

github.com/pachyderm/pachyderm@v1.13.4/doc/docs/archived/vault.md (about)

     1  # Configure Vault Secret Engine
     2  
     3  Pachyderm supports integration with Hashicorp™ Vault by providing a Vault Secret Engine.
     4  
     5  ## Deploy Vault
     6  
     7  Follow the steps below to install Vault instructions to deploy, configure, manage
     8  Vault. In this instructions, you download Vault to `/tmp/vault-plugins/pachyderm`.
     9  
    10  To deploy Vault, complete the following steps:
    11  
    12  1. Get the plugin binary:
    13  
    14     1. Go to the latest release page in the [Pachyderm GitHub repo](https://github.com/pachyderm/pachyderm/releases).
    15     1. Go to the latest release page.
    16     1. Download the `vault` asset.
    17  
    18  1. Download and install the binary on your Vault server instance.
    19  
    20  1. Connect to your Vault server.
    21  1. Run the following commands:
    22  
    23     ```shell
    24     export SHASUM=$(shasum -a 256 "/tmp/vault-plugins/pachyderm" | cut -d " " -f1)
    25     echo $SHASUM
    26     vault write sys/plugins/catalog/pachyderm sha_256="$SHASUM" command="pachyderm"
    27     vault secrets enable -path=pachyderm -plugin-name=pachyderm plugin
    28     ```
    29  
    30     You might need to enable memory locking on the pachyderm plugin. For more information
    31     see the [Vault Documentation](https://www.vaultproject.io/docs/configuration/#disable_mlock).
    32  
    33     **Example:**
    34  
    35     ```shell
    36     sudo setcap cap_ipc_lock=+ep $(readlink -f /tmp/vault-plugins/pachyderm)
    37     ```
    38  
    39  3. Configure the plugin by providing the following information:
    40  
    41     - `admin_token` : is the (machine user) pachyderm token the plugin will use to cut new credentials on behalf of users
    42     - `pachd_address` : is the URL where the pachyderm cluster can be accessed
    43     - `ttl` : is the max TTL a token can be issued
    44  
    45  
    46  ## Admin Token
    47  
    48  
    49  To get a machine user `admin_token` from Pachyderm:
    50  
    51  * If auth is not activated, follow these instructions:
    52  (this activates auth with a robot user. It's also possible to activate auth with a github user. Also, the choice of `robot:admin` is arbitrary. You could name this admin `robot:<any string>`)
    53  ```
    54  $ pachctl auth activate --initial-admin=robot:admin
    55  Retrieving Pachyderm token...
    56  WARNING: DO NOT LOSE THE ROBOT TOKEN BELOW WITHOUT ADDING OTHER ADMINS.
    57  IF YOU DO, YOU WILL BE PERMANENTLY LOCKED OUT OF YOUR CLUSTER!
    58  Pachyderm token for "robot:admin":
    59  34cffc9254df40f0a277ee23e9fb005d
    60  
    61  $ ADMIN_TOKEN=34cffc9254df40f0a277ee23e9fb005d
    62  $ echo "${ADMIN_TOKEN}" | pachctl auth use-auth-token # authenticates you as the cluster admin
    63  ```
    64  
    65  This activates auth with a robot user. It's also possible to activate auth with a github user. Also, the choice of `robot:admin` is arbitrary. You could name this admin `robot:<any string>`)
    66  
    67  ###### If auth *is* already activated
    68  ```
    69  # Login as a cluster admin
    70  $ pachctl auth login
    71  ... login as cluster admin ...
    72  
    73  # Appoint a new robot user as the cluster admin (if needed)
    74  $ pachctl auth modify-admins --add=robot:admin
    75  
    76  # Get a token for that robot user admin
    77  $ pachctl auth get-auth-token robot:admin
    78  New credentials:
    79    Subject: robot:admin
    80    Token: 3090e53de6cb4108a2c6591f3cbd4680
    81  
    82  $ ADMIN_TOKEN=3090e53de6cb4108a2c6591f3cbd4680
    83  ```
    84  
    85  Pass the new admin token to Pachyderm:
    86  ```
    87  vault write pachyderm/config \
    88      admin_token="${ADMIN_TOKEN}" \
    89      pachd_address="127.0.0.1:30650" \
    90      ttl=5m # optional
    91  ```
    92  4) Test the plugin
    93  
    94  ```
    95  vault read pachyderm/version
    96  
    97  # If this fails, check if the problem is in the client (rather than the server):
    98  vault read pachyderm/version/client-only
    99  ```
   100  
   101  5) Manage user tokens with `revoke`
   102  
   103  ```
   104  $ vault token revoke d2f1f95c-2445-65ab-6a8b-546825e4997a
   105  Success! Revoked token (if it existed)
   106  ```
   107  
   108  Which will revoke the vault token. But if you also want to manually revoke a pachyderm token, you can do so by issuing:
   109  
   110  ```
   111  $vault write pachyderm/revoke user_token=xxx
   112  
   113  ```
   114  
   115  ## Usage
   116  
   117  When your application needs to access pachyderm, you will first do the following:
   118  
   119  1) Connect / login to vault
   120  
   121  Depending on your language / deployment this can vary. [see the vault documentation]() for more details.
   122  
   123  2) Anytime you are going to issue a request to a pachyderm cluster first:
   124  
   125  - check to see if you have a valid pachyderm token
   126      - if you do not have a token, hit the `login` path as described below
   127      - if you have a token but it's TTL will expire soon (latter half of TTL is what's recommended), hit the `renew` path as described below
   128  - then use the response token when constructing your client to talk to the pachyderm cluster
   129  
   130  ### Login
   131  
   132  Again, your client could be in any language. But as an example using the vault CLI:
   133  
   134  ```
   135  $ vault write -f pachyderm/login/robot:test
   136  Key                Value
   137  ---                -----
   138  lease_id           pachyderm/login/robot:test/e93d9420-7788-4846-7d1a-8ac4815e4274
   139  lease_duration     768h
   140  lease_renewable    true
   141  pachd_address      192.168.99.100:30650
   142  user_token         aa425375f03d4a5bb0f529379d82aa39
   143  ```
   144  
   145  The response metadata contains the `user_token` that you need to use to connect to the pachyderm cluster,
   146      as well as the `pachd_address`.
   147  Again, if you wanted to use this Pachyderm token on the command line:
   148  ```
   149  $ echo "aa425375f03d4a5bb0f529379d82aa39" | pachctl auth use-auth-token
   150  $ pachctl config update context `pachctl config get active-context` --pachd-address=127.0.0.1:30650
   151  $ pachctl list repo
   152  ```
   153  
   154  The TTL is tied to the vault lease in `lease_id`, which can be inspected or revoked
   155    using the vault lease API (documented here: https://www.vaultproject.io/api/system/leases.html):
   156  
   157  ```
   158  $ vault write /sys/leases/lookup lease_id=pachyderm/login/robot:test/e93d9420-7788-4846-7d1a-8ac4815e4274
   159  Key             Value
   160  ---             -----
   161  expire_time     2018-06-17T23:32:23.317795215-07:00
   162  id              pachyderm/login/robot:test/e93d9420-7788-4846-7d1a-8ac4815e4274
   163  issue_time      2018-05-16T23:32:23.317794929-07:00
   164  last_renewal    <nil>
   165  renewable       true
   166  ttl             2764665
   167  ```
   168  
   169  
   170  ### Renew
   171  
   172  You should issue a `renew` request once the halfway mark of the TTL has elapsed.
   173  Like revocation, renewal is handled using the vault lease API:
   174  ```
   175  $ vault write /sys/leases/renew lease_id=pachyderm/login/robot:test/e93d9420-7788-4846-7d1a-8ac4815e4274 increment=3600
   176  Key                Value
   177  ---                -----
   178  lease_id           pachyderm/login/robot:test/e93d9420-7788-4846-7d1a-8ac4815e4274
   179  lease_duration     2h
   180  lease_renewable    true
   181  ```
   182