Jump to: navigation, search

V4/Password Vault 1.1

Revision as of 09:08, 25 April 2016 by Alich (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Name: V4/Password Vault 1.1
Ticket: #3872
Target version: 4.2.1
Author: Endi Sukma Dewata
Incomplete.png Pending review
Last updated: 2016-04-25 by Alich

Overview

Password Vault 1.1 provides several enhancements over Password Vault 1.0.

New vault management commands:

  • Listing all accessible service and user vaults.
  • Changing vault type.
  • Changing vault password.
  • Changing vault keys.

New access control list:

  • A container owner can create and remove sub-containers and vaults in the container, and manage the members and owners of the container, but it cannot remove the container itself.
  • A container member can list sub-containers and vaults in the container.
  • An escrow officer can recover secrets and reset the vault password.

Vault Management

Listing accessible vaults

A user can search the vaults that it owns or it's a member of using the following command:

$ ipa vault-find [OPTIONS]

By default the command will list the vaults in the private container:

$ ipa vault-find
---------------
1 entries found
---------------
  Vault name: PrivateVault
  User name: testuser
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

To find all service vaults, specify --services:

$ ipa vault-find --services
---------------
1 entries found
---------------
  Vault name: test
  Service name: HTTP/server.example.com
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

To find service vaults belonging to a specific service, specify --service <service name>:

$ ipa vault-find --service HTTP/server.example.com
---------------
1 entries found
---------------
  Vault name: test
  Service name: HTTP/server.example.com
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

To find shared vaults, specify -shared:

$ ipa vault-find --shared
---------------
1 entries found
---------------
  Vault name: test
  Shared: True
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

To find all user vaults, specify --users:

$ ipa vault-find --users
---------------
1 entries found
---------------
  Vault name: test
  User name: testuser
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

To find user vaults, specify --user <username>:

$ ipa vault-find --user testuser
---------------
1 entries found
---------------
  Vault name: test
  User name: testuser
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

Changing vault type

An owner can change the vault type using the following command.

$ ipa vault-mod <name> --type <new type> [OPTIONS]

To change vault type, the old encryption parameter need to be specified:

  • standard: nothing
  • symmetric: password (--old-password or --old-password-file)
  • asymmetric: private key (--private-key-file)

and the new encryption parameter need to be specified:

  • standard: nothing
  • symmetric: password (--new-password or --new-password-file)
  • asymmetric: public key (--public-key-file)

If the passwords is not specified, they will be asked interactively.

To change a standard vault into an symmetric vault the new password must be specified:

$ ipa vault-show test
  Vault name: test
  Type: standard

$ ipa vault-mod test --type symmetric
New password: ********
Verify password: ********
---------------------
Modified vault "test"
---------------------
  Vault name: test
  Type: symmetric

To change a symmetric vault into an asymmetric vault the old password and the new public key must be specified:

$ ipa vault-mod test --type asymmetric --public-key-file public.pem
Password: ********
---------------------
Modified vault "test"
---------------------
  Vault name: test
  Type: asymmetric

To convert an asymmetric vault into a standard vault the old private key must be specified:

$ ipa vault-mod test --type standard --private-key-file private.pem
---------------------
Modified vault "test"
---------------------
  Vault name: test
  Type: standard

Changing vault password

An owner can change the password of a symmetric vault using the following command.

$ ipa vault-mod <name> [OPTIONS]

To change the password interactively:

$ ipa vault-mod test --change-password
Password: ********
New password: ********
Verify new password: ********
---------------------
Modified vault "test"
---------------------
  Vault name: test
  Type: symmetric

To change the password silently:

$ ipa vault-mod test --old-password-file <old password file> --new-password-file <new password file>
---------------------
Modified vault "test"
---------------------
  Vault name: test
  Type: symmetric

Changing vault keys

An owner can change the keys of an asymmetric vault using the following command.

$ ipa vault-mod <name> [OPTIONS]

For example:

$ ipa vault-mod test --private-key-file private.pem --public-key-file new-public.pem
---------------------
Modified vault "test"
---------------------

Access Control

In Vault 1.1 a service can be added as a vault owner or members.

Adding vault member

A vault owner can add members to the vault with the following command:

$ ipa vault-add-member <name> [--users <list of users>] [--groups <list of groups>] [--services <list of services>]

For example:

$ ipa vault-add-member MyVault --users testmember
---------------------------------
Added members to "MyVault " vault
---------------------------------

Removing vault member

A vault owner can remove a member from the vault with the following command:

$ ipa vault-remove-member <name> [--users <list of users>] [--groups <list of groups>] [--services <list of services>]

For example:

$ ipa vault-remove-member MyVault --users testmember
-------------------------------------
Removed members from "MyVault " vault
-------------------------------------

Adding vault owner

An owner can add another owner to the vault with the following command:

$ ipa vault-add-owner <vault ID> [--users <list of users>] [--groups <list of groups>] [--services <list of services>]

For example:

$ ipa vault-add-owner MyVault --users testowner
----------------------------------
Added owners from "MyVault " vault
----------------------------------

Removing vault owner

An owner can remove another owner from the vault with the following command:

$ ipa vault-remove-owner <name> [--users <list of users>] [--groups <list of groups>] [--services <list of services>]

For example:

$ ipa vault-remove-owner MyVault --users testowner
------------------------------------
Removed owners from "MyVault " vault
------------------------------------

Managing vault containers

Works in the same way as vault-show, vault-del, vault-add-owner and vault-remove-owner commands. Vault container contains vault. There are three types: shared, per-user, per-service. Per-user and per-service container is created with a first user/service vault.

 vaultcontainer-show [--service <service>|--user <user>|--shared ]
 vaultcontainer-del [--service <service>|--user <user>|--shared ]
 vaultcontainer-add-owner
         [--service <service>|--user <user>|--shared ]
         [--users <users>]  [--groups <groups>] [--services <services>]
 vaultcontainer-remove-owner
         [--service <service>|--user <user>|--shared ]
         [--users <users>]  [--groups <groups>] [--services <services>]

Reworked permissions

  • Added new "Vault administrators" privilege. Vault administrators have unrestricted access to vaults and vault containers, including the power to add/remove owners of vaults and vault containers.
  • Remove the ability of vault owners to add/remove other vault owners. If vault owner needs to be changed, vault administrator has to do it. Note that vault owners will still have the ability to add/remove vault members.
  • When adding new vault container, set owner to the current user. If vault container owner needs to be changed, vault administrator has to do it.
  • Allowed adding of vaults and vault containers only if the owner is set to the current user.

Status

Completed changes:

  • Skip tests if KRA not available (pushed).
  • Validate vault's file parameters (pushed).
  • Fixed missing KRA agent cert on replica (pushed).
  • Validate mutually exclusive options in vault-add (pushed).
  • Validate public key in client (pushed).
  • Add CLI param and ACL for vault service operations (pushed).
  • Allow overriding member param label in LDAPModMember (pushed).
  • Fix param labels in output of vault owner commands (pushed).
  • Fixed vault container ownership (pushed).
  • Normalize service principal in service vault operations (pushed).
  • Validate vault type (pushed).
  • Fix vault-find with criteria (pushed).
  • Add container information to vault command results (pushed).
  • Add flag to list all service and user vaults (pushed).
  • Add support for changing vault encryption (pushed).
  • Change default vault type to symmetric (pushed).
  • Fix vault tests after default type change (pushed).
  • Limit size of data stored in vault (pushed).
  • Using LDAPI to setup CA and KRA agents (pushed).

Test Plan

http://www.freeipa.org/page/V4/Password_Vault/Test_Plan

References