Users and permissions¶
In this lab we modify the client used by credhub-interpolate in the
fetch-products pipeline, and tighten the access to CredHub.
We also discuss:
- the UAA and its role in managing credhub clients and their authorities
- Credhub permissions on paths
- The use of Concourse teams to namespace pipelines for distinct foundations
How Concourse accesses CredHub¶
How does Concourse's native integration access CredHub? Does it use credhub_admin? If not, then what client does it use?
How might you find the Concourse to credhub client?
One way is to go back to the Concourse bosh deployment and review how the Concourse web job is configured.
Another way is to ssh only the Concourse web VM and look for the configuration file for the service.
Try this:
-
Navigate to
~/workspace/opsman-director, since its.envrcfile is configure with theom bosh-envcommand. -
Ssh onto the concourse web VM and become root user
bosh -d concourse ssh web/0 sudo su - -
On the VM, navigate to
/var/vcap/jobs/web/config, then:grep -i credhub bpm.yml
What is the credhub client id?
Concourse uses a dedicated client.
Exit the VM and return to the jumbpox.
Find the Concourse Credhub client in the UAA¶
The Concourse credhub client was created and stored in the UAA.
If you recall, Concourse was installed along with two colocated services: CredHub and the UAA, an OAuth2-certified server.
uaac is the CLI for the UAA. You installed it when configuring the jumpbox.
-
Verify that the uaac is installed: run
uaac --versionoruaac --help. -
Pore through the Concourse bosh deployment manifests (and ops files) again.
Can you find where the port number for the UAA service is specified?
-
Target the Concourse UAA server
uaac target https://ci.eitan.esuez.org:8443/ --skip-ssl-validation -
To log in to the UAA as the admin user, you will find the credentials in the bosh credhub.
-
navigate to
~/workspace/opsman-director, and run:credhub find -p /p-bosh/concourse -
lookup the password for the uaa admin:
credhub get -n /p-bosh/concourse/uaa_admin -
log in to the uaa:
uaac token client get admin -s _insert-uaa-admin-password-here_
-
List the UAA clients:
uaac clients
The output lists the concourse_to_credhub_client and credhub_admin clients.
What client to use for credhub-interpolate¶
Clearly we should not be using credhub_admin.
We are not going to piggyback off of the Concourse client.
Instead, create a distinct client.
uaac client add \
--name main_to_credhub_client \
--scope uaa.none \
--authorized_grant_types client_credentials \
--authorities "credhub.read,credhub.write"
You will be prompted to enter the client id and a password of your choosing (just remember it, at least, until you put it in credhub).
The idea behind the client name is to follow the same convention as the concourse native integration client. The main prefix is taken from the Concourse team name where the pipelines reside.
Configure permissions for the client¶
The client needs permission to access all credhub secrets under /concourse/main.
Read about the credhub cli permissions-related commands here.
credhub set-permission \
--actor=uaa-client:main_to_credhub_client \
--path=/concourse/main/* \
--operations="read"
Can you follow the semantics of the above-command? Review the above-referenced documentation to understand the syntax and the options.
Update the pipeline¶
Review the fetch-products pipeline yaml. Specifically the credhub-interpolate step.
It turns out, we need only update the values for the credhub-client and credhub-secret in CredHub so that the pipeline uses the new user you just created.
You know the drill:
- navigate to
~/workspace(do you recall why this is important?) - first, you need to
credhub deletethe existing entries, then.. - create a
credentials.ymlfile with two variables (don't forget to provide the fully qualified path) - run the
credhub importcommand with the appropriate arguments - verify that the values were updated
- delete
credentials.yml
Verify that the pipeline continues to function using this new user.
- trigger the job
fetch-opsmanagain and make sure it passes
If for some reason the wrong permissions were assigned to the user, the
job will be denied access to the secrets (e.g. pivnet-token) when it
runs.
Mission accomplished: we no longer run fetch-products pipeline as credhub_admin.
Going forward¶
In subsequent labs, you will work towards provisioning a sandbox foundation.
Establish a convention whereby all pipelines for a foundation will reside in a distinct team in Concourse.
Review (recall) the Concourse credential lookup rules:
- for a pipeline in a team named
x, credentials are looked up in credhub under the path /concourse/x/
Each pipeline should use a distinct credhub client with permission to access only its credentials under that path.
Create a client for the sandbox foundation¶
By convention, use the client name sandbox_to_credhub_client.
- Use the
uaacclient to create that client - Use the
credhub set-permissioncommand to give that client permission to read secrets under/concourse/sandbox/* - Store the sandbox
credhub-clientandcredhub-secretunder/concourse/sandbox
While here, also store the credhub-server and credhub-ca-cert.
Although these are already in credhub, they are under /concourse/main and the sandbox client will not have access to those. So, duplicate the values under /concourse/sandbox
Create a new team in Concourse¶
-
At the moment you have a single team called
main. Verify this:fly -t main teams -
Create a team named sandbox
fly -t main set-team --team-name=sandbox --local-user=admin -
Verify that you now have two teams
fly -t main teams
Configure fly to access to the sandbox team¶
In Concourse, access to each team requires a separate target.
-
Review your existing
flytargetsfly targetsIt points to the
mainteam. -
Configure a new target named
sandboxfly -t sandbox login \ --concourse-url=https://ci.your-environment-name.pal4pe.com \ --team-name=sandbox -
Verify that you now have a target for each team
fly targets