Vault + Jupyterhub + LDAP to manage secrets

[danieleperera]

Hi everyone,

I wanted to share some progress I’ve made with Jupyterhub setup, particularly regarding LDAP authentication configured with Vault.
I’m currently facing a challenge when configuring Vault with LDAP groups and permissions. I can successfully login using LDAP credentials into Juypterhub, however, I'm not able to generate an authentication token for the user who has logged into Jupyterhub.

I've subclassed the Juypterhub ldap authentication and I'm trying to merge the authentication process with Vault, so I can pass a token into the spawned notebook, from where I will read necessary secrets.

Below is a sample code of the subclassed auth process:

client = hvac.Client(url='https://my-vault-server.com/')

client.auth.ldap.login(
    username='', # getting this data from Jupyterhub login process
    password='' # getting this data from Jupyterhub login process
)

print(client.is_authenticated())

if client.is_authenticated():
    # Now,  a new token with the desired policies and TTL (1 day)
    policies = ['dev']
    token_ttl = '24h'  # 1 day TTL

    token_create_response = client.auth.token.create(policies=policies, ttl=token_ttl) # <- I get permission denied error here

    # Extract the newly created token
    new_token = token_create_response['auth']['client_token']
    
    print({"auth_state": {'vault_token': new_token}}) # passing the vault_token to the spawned docker notebook as an env 
else:
    print("HVAC client authentication failed")

I've configured the Vault to perform ldap search queries and created dev policy and enable access via ldap group.
Via UI, I'm able to login to Vault and read the secret path.

Below a sample of the policy:

path "secret/*" {
    capabilities = ["create", "read", "update", "patch", "delete", "list"]
}

As LDAP server, I'm using FreeIPA

vault write auth/ldap/config url="ldaps://REDACTED:636" \
  userdn="REDACTED" userattr="uid" \
  groupdn="cn=developers,cn=groups,cn=accounts,REDACTED" \
  starttls="true" \
  insecure_tls="true" \
  binddn="uid=my-account,cn=sysaccounts,cn=etc,REDACTED" \ 
  bindpass='REDACTED'

I'm running vault in dev mode in a docker CT, the version is 1.15.
Any would be greatly appreciated.

[briantist]

Can you share the rest of the code? I can't tell from this alone what's happening in your combined auth process or how the hvac client is using your modified auth class.

What kind of error are you receiving?

[danieleperera]

The error is get is:

Forbidden: 1 error occurred:
	* permission denied

, on post https://my-vault-server.com/v1/auth/token/create

# Subclass the LDAPAuthenticator to add vault authentication
# and get an API token
class LDAPAuthenticatorWithVault(LDAPAuthenticator):

    async def authenticate(self, handler, data):
        super().__init__()

        import hvac
        client = hvac.Client()

        self.log.debug("Configuring HVAC client")

        self.log.debug("Authenticating HVAC client with user's LDAP credentials")

        client.auth.ldap.login(
            username=data['username'],
            password=data['password'],
            mount_point='ldap'
        )

        if client.is_authenticated():
            # Now, create a new token with the desired policies and TTL (1 day)
            policies = ['dev']
            token_ttl = '24h'  # 1 day TTL

            token_create_response = client.auth.token.create(policies=policies, ttl=token_ttl)

            # Extract the newly created token
            new_token = token_create_response['auth']['client_token']
            self.log.info("HVAC client authenticated successfully. Generating a API token")

            return {"name": data['username'], "auth_state": {'vault_token': new_token}}
            print({"auth_state": {'vault_token': new_token}})
        else:
            self.log.warning("HVAC client authentication failed")
            return data['username']

    async def pre_spawn_start(self, user, spawner):
        """Pass vault_token to spawner via environment variable"""
        auth_state = await user.get_auth_state()
        if not auth_state:
            # auth_state not enabled
            return
        spawner.environment['VAULT_TOKEN'] = auth_state['vault_token']

Can you tell me what other logs do you need?

[briantist]

Thank you, the problem you're seeing here is the part where you try to create a new, second token.

By logging in with LDAP, you've already assigned a token to the client. That token was created with the policies you previously assigned, the same as the ones you would get by logging into the UI.

Then, you are trying to create a new token with that token. But your policy does not give you the permissions to create child tokens. This is supported by the policy you showed me, and also the error message which shows your error on this endpoint: v1/auth/token/create

I don't think you have any need to be creating a second token though, so you can probably comment out your call to create a second token.

If you need access to the value of the token, you can read it directly from client.token, or assign it to the left side when you auth, like token = client.auth.ldap(...).

---

I also want to make a note about the is_authenticated() function just so you understand what it does. It makes a call to Vault using the client's assigned token, making a call to the "lookup-self" endpoint. It otherwise doesn't really check that the token is "correct" or has the permission you need.

So, an invalid token will definitely fail if you call this, but if the call succeeds, it doesn't tell you much else about that token except that it's valid for one specific use.

It's slightly more useful when using "token" auth and your token comes from somewhere else. It's much less useful when using one of the auth methods like LDAP, because if the LDAP call failed it will raise its own exception, if it didn't do that, it will have gotten some token and assigned it.

[danieleperera]

Okay, it's more clear now. In the documentation I did not find details about the TTL of the token generated when a user logs using LDAP. https://developer.hashicorp.com/vault/docs/auth/ldap.

For my usecase, I could use the token generated via LDAP and pass it to the spawned CT. Thanks for your support.

[briantist]

To set the token TTL for the LDAP auth method, you can either set it when you enable the mount (https://developer.hashicorp.com/vault/api-docs/auth/ldap#token_ttl) or you can tune the existing mount (https://developer.hashicorp.com/vault/api-docs/system/mounts#tune-mount-configuration).

If you don't set a TTL the system default will be used. You can read more about token TTLs in detail here: https://developer.hashicorp.com/vault/docs/concepts/tokens#token-time-to-live-periodic-tokens-and-explicit-max-ttls

It's worth noting that in your example where you set the token TTL on a child token, you could only make that value shorter I believe, not longer.

If you want your general LDAP logins to have a certain TTL but you want tokens for this specific use case to have a different TTL, you could create a second LDAP mount for that purpose, at like /auth/jupyterldap or something, and then configure its TTL and other settings appropriately.