brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "david bush (JIRA)" <j...@apache.org>
Subject [jira] [Created] (BROOKLYN-277) Add support for 'path within value' in org.apache.brooklyn.core.config.external.vault
Date Mon, 23 May 2016 10:34:12 GMT
david bush created BROOKLYN-277:
-----------------------------------

             Summary: Add support for 'path within value' in org.apache.brooklyn.core.config.external.vault
                 Key: BROOKLYN-277
                 URL: https://issues.apache.org/jira/browse/BROOKLYN-277
             Project: Brooklyn
          Issue Type: New Feature
            Reporter: david bush


Vault stores credentials as key/value pairs under specific directories.  It also has a design
feature whereby writing a new K/V to an existing location overwrites any existing K/Vs.  This
means maintaining several sets of credentials becomes difficult and risky as all have to be
read, modified, written back together (currently a manual job).

In order to address this in the simplest manner the proposed change is to allow the path to
be specified in `$brooklyn:external`.

Currently the path is set and a global key of 'vault' used in the credential: 
```
brooklyn.external.vault.path=secret/amp
somecred.identity = $brooklyn:external("vault", "uniquekey")
```

Proposed:
```
brooklyn.external.vault.path=secret/amp
somecred.identity = $brooklyn:external("vault","path/within/vault/uniquekey")
```
e.g. `aws.identity = $brooklyn:external("vault","aws/username")`

So, AMP would read value of key `username` from location `secret/amp/aws`.  This should allow
granular maintenance of credentials with much lower risk.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message