FreeIPA Vault plugin for Custodia
Project description
WARNING custodia.ipa is a tech preview with a provisional API.
custodia.ipa is a storage plugin for Custodia. It provides integration with FreeIPA’s vault facility. Secrets are encrypted and stored in Dogtag’s Key Recovery Agent.
Requirements
Installation
pip
setuptools >= 18.0
Runtime
custodia >= 0.3.1
ipalib >= 4.5.0
ipaclient >= 4.5.0
Python 2.7 (Python 3 support in IPA vault is unstable.)
custodia.ipa requires an IPA-enrolled host and a Kerberos TGT for authentication. It is recommended to provide credentials with a keytab file or GSS-Proxy.
Testing and development
wheel
tox
virtualenv requirements
custodia.ipa depends on several binary extensions and shared libraries for e.g. python-cryptography, python-gssapi, python-ldap, and python-nss. For installation in a virtual environment, a C compiler and several development packages are required.
$ virtualenv venv $ venv/bin/pip install --upgrade custodia.ipa
Fedora
$ sudo dnf install python2 python-pip python-virtualenv python-devel \
gcc redhat-rpm-config krb5-workstation krb5-devel libffi-devel \
nss-devel openldap-devel cyrus-sasl-devel openssl-devel
Debian / Ubuntu
$ sudo apt-get update
$ sudo apt-get install -y python2.7 python-pip python-virtualenv python-dev \
gcc krb5-user libkrb5-dev libffi-dev libnss3-dev libldap2-dev \
libsasl2-dev libssl-dev
Example configuration
Create directories
$ sudo mkdir /etc/custodia /var/lib/custodia /var/log/custodia /var/run/custodia $ sudo chown USER:GROUP /var/lib/custodia /var/log/custodia /var/run/custodia $ sudo chmod 750 /var/lib/custodia /var/log/custodia
Create service account and keytab
$ kinit admin $ ipa service-add custodia/client1.ipa.example $ ipa service-allow-create-keytab custodia/client1.ipa.example --users=admin $ mkdir -p /etc/custodia $ ipa-getkeytab -p custodia/client1.ipa.example -k /etc/custodia/custodia.keytab
Create /etc/custodia/custodia.conf
[DEFAULT]
confdir = /etc/custodia
libdir = /var/lib/custodia
logdir = /var/log/custodia
rundir = /var/run/custodia
[global]
debug = true
server_socket = ${rundir}/custodia.sock
auditlog = ${logdir}/audit.log
[store:vault]
handler = IPAVault
keytab = {confdir}/custodia.keytab
ccache = FILE:{rundir}/ccache
[auth:creds]
handler = SimpleCredsAuth
uid = root
gid = root
[authz:paths]
handler = SimplePathAuthz
paths = /. /secrets
[/]
handler = Root
[/secrets]
handler = Secrets
store = vault
Run Custodia server
$ custodia /etc/custodia/custodia.conf
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file custodia.ipa-0.1.0.tar.gz.
File metadata
- Download URL: custodia.ipa-0.1.0.tar.gz
- Upload date:
- Size: 21.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a43f4ca5fee175e574f6a8f2ff7197bbff7a2815ca732c961b15b3d100f999f4 |
|
| MD5 | 812c8cdf0d9aca9bf0df60f39820ee50 |
|
| BLAKE2b-256 | 51a85ecb27883399dee022a48931607f1202572cfad1243793ad71c563cff5e4 |
File details
Details for the file custodia.ipa-0.1.0-py2.py3-none-any.whl.
File metadata
- Download URL: custodia.ipa-0.1.0-py2.py3-none-any.whl
- Upload date:
- Size: 9.1 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a1784f65d82eba0b92cf592b0614b760bc02aeb8858951ed8c21e641a0086137 |
|
| MD5 | 726b47908fedcd55cc90760e4722b488 |
|
| BLAKE2b-256 | b4dc4816cb721fae4e9d45ad86ff84860d4bb2b157cd26f046af370d30b646fc |
