Vault + Jupyterhub + LDAP to manage secrets #1070
-
Hi everyone, I wanted to share some progress I’ve made with Jupyterhub setup, particularly regarding LDAP authentication configured with Vault. I've subclassed the Juypterhub ldap authentication and I'm trying to merge the authentication process with Vault, so I can pass a token into the spawned notebook, from where I will read necessary secrets. Below is a sample code of the subclassed auth process: client = hvac.Client(url='https://my-vault-server.com/')
client.auth.ldap.login(
username='', # getting this data from Jupyterhub login process
password='' # getting this data from Jupyterhub login process
)
print(client.is_authenticated())
if client.is_authenticated():
# Now, a new token with the desired policies and TTL (1 day)
policies = ['dev']
token_ttl = '24h' # 1 day TTL
token_create_response = client.auth.token.create(policies=policies, ttl=token_ttl) # <- I get permission denied error here
# Extract the newly created token
new_token = token_create_response['auth']['client_token']
print({"auth_state": {'vault_token': new_token}}) # passing the vault_token to the spawned docker notebook as an env
else:
print("HVAC client authentication failed") I've configured the Vault to perform ldap search queries and created dev policy and enable access via ldap group. Below a sample of the policy:
As LDAP server, I'm using FreeIPA
I'm running vault in dev mode in a docker CT, the version is 1.15. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
Can you share the rest of the code? I can't tell from this alone what's happening in your combined auth process or how the hvac client is using your modified auth class. What kind of error are you receiving? |
Beta Was this translation helpful? Give feedback.
Thank you, the problem you're seeing here is the part where you try to create a new, second token.
By logging in with LDAP, you've already assigned a token to the client. That token was created with the policies you previously assigned, the same as the ones you would get by logging into the UI.
Then, you are trying to create a new token with that token. But your policy does not give you the permissions to create child tokens. This is supported by the policy you showed me, and also the error message which shows your error on this endpoint:
v1/auth/token/create
I don't think you have any need to be creating a second token though, so you can probably comment out your call to create a second …