aws / credentials-fetcher Goto Github PK

krb.cpp is_ticket_ready_for_renewal() only checks if the ticket renewal expiration is within an hour. I believe the default behavior is the ticket renewal expiration is ~8 days after the actual ticket expiration. This would cause an expired ticket not to be refreshed and possibly provide consumers an expired ticket, since the ticket expired but the refresh expiration has days left. My fork contains a branch that has this fix (The method in my branch is called get_ticket_expiration()). The fix is to actually check the ticket expiration instead. I have not created a PR from this branch since I am waiting for my current active PR to be completed. I updated @smhmhmd about this and will create a PR once the current one is closed.

ProcessCredSpecFile() should have logic like this:

    if ( aws_sm_secret_name.length() != 0 )
    {
        status = get_user_krb_ticket( krb_ticket_info->domain_name,
                                      aws_sm_secret_name, cf_logger );
        krb_ticket_info->domainless_user =
            "awsdomainlessusersecret:"+aws_sm_secret_name;

        if ( status < 0 )
        {
            cf_logger.logger( LOG_ERR, "Error %d: Cannot get usr krb ticket",
                                status );
            delete krb_ticket_info;
           return EXIT_FAILURE;
        }
}
    else
    {
        // invoke to get machine ticket
        status = get_machine_krb_ticket( krb_ticket_info->domain_name, cf_logger );
        if ( status < 0 )
    {
        cf_logger.logger( LOG_ERR, "Error %d: Cannot get machine krb ticket",
                            status );
        delete krb_ticket_info;
           return EXIT_FAILURE;
        }
    }

Support for Alpine Linux would be very beneficial.

Excited about this project launch, it will solve a big problem for us. Thanks!

Mono is currently used to compile the C# code for UTF-16, the task is to use dotnet if it available instead of mono in Linux.

• Have single kerberos ticket associated to duplicate credentialspec

Dockerfile images that contain something of the following so within the container is run as non root user:
RUN adduser -u 5678 --disabled-password --gecos "" appuser && chown -R appuser /app

This will cause the kerberos client inside the container to not have access to the TGT created on the host by credentials-fetcher.

New Issue test

After viewing this blog post from AWS, I came to this repository in order to setup GMSA for Linux containers in AWS ECS. I have had a few problems so far:

1. The README states that credentials-fetcher can be installed onto Amazon Linux 2022 via sudo yum install credentials-fetcher. This is seems incorrect, given that Amazon Linux 2022 uses dnf, not yum, and also that the package isn't available to dnf. Amazon Linux 2 uses yum, and this package isn't available there either.
2. There are several places in the code that use the realm command, which is provided by the realmd package. The realmd package is unavailable in Amazon Linux 2022, removed as per this release documentation from AWS. How is this expected to work in Amazon Linux 2022? I'm assuming that this is actually expected to work on Amazon Linux 2.
3. How is this service expected to be invoked and provide the resulting tickets to a given container? Is the expectation that all containers mount the ticket output directory? If using docker with the credentialspec option, does it invoke this service? How is this usable from an ECS perspective?

Any help or guidance will be greatly appreciated.

Problem
I am compiling this code for ubuntu 18.04 in docker. The artifact compiles fine and i can run it but I am not seeing a socket being created under /var/credentials-fetcher/socket. I am probably missing something obvious. Clearly without a socket, any attempt at using grpc_cli or just using the daemon is impossible.

This is what I see when I run the compiled artifact. I should point, in passing, that i tried setting environment variables (e.g. CF_UNIX_DOMAIN_SOCKET_DIR) and that those don't are not getting applied.

# ./credentials-fetcherd
krb_files_dir = /var/credentials-fetcher/krbdir
logging_dir = /var/credentials-fetcher/logging
unix_socket_dir = /var/credentials-fetcher/socket
Thread 0: top of stack near 0x7f23cbdf4e60; argv_string=grpc_thread
Thread 0: top of stack near 0x7f23cb5f3e60; argv_string=krb_ticket_refresh_thread

Replicating
This is the dockerfile that compiles and builds the artifact for ubuntu 18.04

FROM ubuntu:18.04

RUN apt update \
    && apt full-upgrade -y \
    && apt install -y software-properties-common apt-transport-https dnsutils ldap-utils python3-pip wget git vim \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata

# Mono
RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF \
    && echo "deb https://download.mono-project.com/repo/ubuntu $(lsb_release -cs) main" > /etc/apt/sources.list.d/mono-official-stable.list
# CMake
RUN wget -O - https://apt.kitware.com/keys/kitware-archive-latest.asc 2>/dev/null | gpg --dearmor - | tee /usr/share/keyrings/kitware-archive-keyring.gpg >/dev/null \
    && echo "deb [signed-by=/usr/share/keyrings/kitware-archive-keyring.gpg] https://apt.kitware.com/ubuntu/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/kitware.list

RUN apt update \
    && apt install -y libglib2.0-dev libboost-dev libkrb5-dev libsystemd-dev libboost-all-dev libssl-dev \
    && apt install -y cmake mono-complete

RUN cd /root && git clone https://github.com/aws/credentials-fetcher \
    && mkdir -p credentials-fetcher/build \
    && mkdir -p /usr/lib64/glib-2.0/ \
    && ln -s '/usr/lib/x86_64-linux-gnu/glib-2.0/include/' '/usr/lib64/glib-2.0/include' \
    && cd credentials-fetcher/build && cmake ../ && make -j && make install

WORKDIR /root/credentials-fetcher/build
    
CMD ["/bin/bash"]

I'm want to use Credentials-Fetcher in combination with SMB CSI Driver for Kubernetes
https://github.com/kubernetes-csi/csi-driver-smb. Mounting takes place at the worker node level, not inside the pod/container.
That driver currently has no support for pulling updated tickets stored as kubernetes secrets nor refreshing them.
Because of that, I want to use credentials-fetcher to obtain and refresh the kerberos tickets.

To make both work together, I will let the driver go thru its normal process of writing to the hard coded path of
/var/lib/kubelet/kerberos/
but the file it writes into that location (ex: krb5_1000) does not need to be a valid ticket because
/etc/krb5.conf.d/ccache.conf will be configured to point to the credentials-fetcher path of
/var/credentials-fetcher/krbdir/ instead.

As long as credentials-fetcher continues to write into its lease folder structure AND puts a file directly into
/var/credentials-fetcher/krbdir (ex: /var/credentials-fetcher/krbdir/krb5cc_1000), then the mount cifs command will find the valid/refreshed Kerberos ticket and mount.

Note: UID needs to be in the file's name, unlike in the lease subfolders. Ex: krb5_1000, krb5_1001, etc.

Note: I think mechanism could also work for Amazon ECS for mounting CIFS(SMB).

As per this discussion, add keytab support.

It looks possible to extend credentials-fetcher to manipulate keytab files.
Keytab files can be shared with containers just like Kerberos tickets are being shared as of now.
This can be done with non-gMSA accounts as well, as long as password expiry interval is known.
If the password expiry interval is longer than keytab file refresh, this would work fine.

Since the the credential-fetcher renews the gMSA Kerberos Ticket by piping the gMSA password to kinit, if the gMSA password contains an character with a value of 0x0A (i.e. an embedded newline character), then the input to kinit is prematurely aborted and the authentication fails.

credentials-fetcher rpm install requires grpc-cli at the moment

Recent commits have broken Domainless mode functionality but went undetected due to lack of unit tests.

provide read write access to only root and ec2-user on the instance

The logic sets the variable then overrides it later with ECS config:

//snippet where value is retrieved from command line parameters

        case 's':
            cf_daemon.aws_sm_secret_name = optarg;
            std::cout << "Option selected for domainless operation, AWS secrets manager "
                         "secret-name = " << optarg << std::endl;
            break;

//snippet later in function overrides

std::string aws_sm_secret_name = retrieve_secret_from_ecs_config(domainless_gmsa_field);
cf_daemon.aws_sm_secret_name = aws_sm_secret_name;