Re: [keycloak-dev] File-based Vault implementation
Hi Sebastian,
Elytron has a very powerful and flexible Credential Store SPI (Peter can
give more details) that can help managing credentials based on keys. You
could even use an implementation backed by a java key store (with in-memory
support).
Wouldn't make sense to use it or at least check how the design could be
improved to fit our requirements?
Regards.
Pedro Igor
On Fri, Aug 2, 2019 at 6:39 AM Sebastian Laskawiec <slaskawi(a)redhat.com>
wrote:
Hey,
We are considering an initial, file-based Vault [1] implementation that
we'll ship out of the box. I imagine a minimum set of requirements as the
following:
- Easy to write by hand (for testing)
- Works out of the box in Kubernetes (Kubernetes can mount Secrets as
files)
- Make sure we do not cache file content anywhere, so we don't compromise a
secret value in Keycloak
Essentially, there are two approaches for such an implementation.
The first option is to put all secrets into a shared file representing
key-value pairs (a properties file is a natural candidate for such an
implementation). This approach very easy to use but it's pretty hard to
search for a particular key in a file. We would need to make sure that we
don't cache anything wile parsing the file (in BufferedInputStream for
example). Such an implementation would also be pretty slow, since whenever
we'd access the vault for a particular key, we would potentially need to
search the whole file.
The second option is more complicated. Imagine the following file structure
(inside a vault directory):
my-secret-1 (secret value in its content)
my-secret-2 (secret value in its content)
my-secret-3 (secret value in its content)
In other words, each key is a file in a vault directory and its content
corresponds the secret value. Such an implementation is not very easy to
use as we'd need to create many small files. However, it's super fast for
searching and we can securely read the value without a risk of compromising
other secret values provided by the vault.
I wonder what do you think about this? My personal take on this is that we
should provide both implementations. The former (single file) would be used
in our testsuite (because of simplicity) and the latter (multiple files) in
production and in Kubernetes.
Thanks,
Sebastian
[1]
https://github.com/keycloak/keycloak-community/blob/master/design/secure-...
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev