grouper-study - Re: [grouper-users] Containerized Grouper and Secrets
Subject: grouper-study
List archive
- From: Christopher Hubing <>
- To: John Schrader <>
- Cc: Jack Stewart <>, "Hyzer, Chris" <>, "" <>, csp study grouper <>
- Subject: Re: [grouper-users] Containerized Grouper and Secrets
- Date: Mon, 30 Apr 2018 15:39:51 +0000 (UTC)
- Arc-authentication-results: i=1; mx.umich.edu; iprev=pass policy.iprev=104.47.34.127 (mail-by2nam01on0127.outbound.protection.outlook.com); spf=neutral ; dkim=none; dmarc=none ; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; d=umich.edu; s=arc-2017-08-04; t=1525102797; c=relaxed/relaxed; bh=FVD767qJ9nGHMjq9HkRrOvk65nBJdQ9FDrY/9JaNd60=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=0uAW9HLR6KZTjwmFDM9d5c+lPhR18XS85Yvt1MGanZ6p+qdXQgF2nyzjeel3Zt15UMDL53TOc0EKzSjk8xL2R3qsWh6DJjbK575pKcsHXx4z2kIPVJXMXV2oADIbSTi76ZVjAPzDGacx++P8NHbWNe1jsyEvcqYS5abiP4is3TL4a1fKKdgagPf+6IO3XFA2ZA9IbrRFHcTcllB+quw5aVQqjapKaoUMbWlnyy6mbyCelNP/h0hBGckW+6LZsN4xwu4CRrBZ17D6ak/JtDj6AuZ1cPCB8PK2+ZSQFPLX9AJtAVdFPLHWbnZ8MFmrYpk6wDPy/kFDk0dYfzp6H1cqJw==
- Arc-seal: i=1; a=rsa-sha256; d=umich.edu; s=arc-2017-08-04; t=1525102797; cv=none; b=xR4A7MbLLU9vitkRWTi38W8HI5cLNniUMaukv7tzn4KQEee32qvOFyIyqeqoGT1/rGBeqSzYCDTIfGKiRVXnztYWEgzNSMuPnaXowOwYW3taCbj2JE1rUNRKLUTaRQH2A/CMss9rHrKHqq2zo85WlOSf0iast0EhgfzPV0H3xuHngWvRcU7bmMAUl2BLoMobqAnEKy5PuZEANRgxpQofmzb5/d5jgytThQ9yoRW+U4jbedbrC3Z6oHlp4COTHUZ815lh9FWB8tG/jfWZYd3HhgaDDzwUTzcoBdmbQ2ekuvijBTRjSL416LtNbrO1E1DLAUBaFTyQ2pWdrpDictWMBw==
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:b4cBuRFtrjUbnvvwbfpQiJ1GYnF86YWxBRYc798ds5kLTJ76p8q4bnLW6fgltlLVR4KTs6sC17KN9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCazbL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjm58axlVAHnhzsGNz4h8WHYlMpwjL5AoBm8oxBz2pPYbJ2JOPZ7eK7WYNEUSndbXstJWSJPAp2yYZYNAOQCM+ZXoYbyqEcPrRalAAmgGPniyz9UinLs36A31fkqHwHc3AwnGtIDqGrZrNXvNKcTSuC10K7IzS3Db/xIwzf29YrGcg06rvGNW7JwftfaxE4zGAPFk1Wfso3lPzWa1ukWsmib6fZgWvy1i24htQ5xviajyt0yhYbUm4IY01bJ/jh3zoYyIN23Uk97Ydi8HZtNrSGaM5F6QtgnQ21woik6z6cJuJ+8fCgM0pgo2xnfa/mff4iQ+B3jT/2RIDl/hHJ/Zb2znQ2y8U24xu39UMm0zEhFrjBDktbSqnAByQbf5daaRftg5kuhwiiA2BzJ6u5aPUA0jq/bJIQnwrEqmZocr17DEjXsmErolqCZa10o+vWz6+v5eLXmoIWTN4pqhQ3kKaQun8qyCvk7PAgWR2WW9+Sx2Kf+8UD4XblGlOM6n6nWvZzAOMgWpa20DxdV34ss8RqzEjWr3dQCkXUaLl9JYh2KgobvNlrTOv73F+2/jE6pkDpzx/DJILnhApLVI3jfirfheqt95FVYyAUt0N9T/oxUCqwCIPL0R0DxsMbXDhwjPwOqzObnEsty1pgFWW6VGKCVKqbSvkWJ5uIrOeWMeYoVuDfhJPgl/fLhk2I2mUIFcamo25sYdmy4E+xoLkiZe3bgn9YMHXoQsgYgTOHnh0eOXSNQanuxR6484ys0CIOiDYfNXICth7mB0T+nEZ1NfmBKEEuMEWv1d4qZW/YAci2SItVmkjwZTbiuVZUh2Qiwuw/g0bpnKfDU+jYDuJL+0dh15vHclREo+TNqEsudznmBT3tokWMQWz82wKd/rFRyyleZ1qh4nuRYGsJJ5/9QSQc6KYPcwPF6Ct3pXgLBf8yJSEq9Qtm4Gz0xT9Qxw8MQbEZnHdWtkAzD0zSwD7ALirOLGc98zqWJ/X/xIY5GwHbc3aUslRFyYMxPMyudja5l/gTeHabPnwOUm7v8JooG2yuY32eZzHGSu1lYXRQ4cbjPXHYQLh/drcnz50XNZ76oFbk9NAZdk4iPJrYcOY6htklPWPq2YIeWWGm2gWrlQE/Qnr4=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Good addition to the mix, John. Do you use this feature and then how do you deploy it? Would you include such secrets in a cloudformation template or just create them manually, as needed? There is also a 4096 byte limit to each secret, so has lengthty configuration items that contain secrets been a problem?
-c
On Sun, 29 Apr 2018, John Schrader wrote:
This is a great conversation..
For those of us running in AWS cloud, AWS has released "SecretsManager" [1]
SecretsManager opens up some interesting possibilities for both EC2 instances
and containers(tasks) running in ECS.
As a POC, I've created an elConfig class (thanks to Chris for the capability)
that retrieves values for hibernate properties:
hibernate.connection.url.sm.elConfig =
${edu.internet2.middleware.grouperClient.config.SecretsManagerElClass.getSecret('/grouper/dev','url')}
hibernate.connection.url =
$$hibernate.connection.url.sm$$
hibernate.connection.username.sm.elConfig =
${edu.internet2.middleware.grouperClient.config.SecretsManagerElClass.getSecret('/grouper/dev','username')}
hibernate.connection.username =
$$hibernate.connection.username.sm$$
hibernate.connection.password.sm.elConfig =
${edu.internet2.middleware.grouperClient.config.SecretsManagerElClass.getSecret('/grouper/dev','password')}
hibernate.connection.password =
$$hibernate.connection.password.sm$$
from SecretsManager.
Read/Decrypt access to the `/grouper/dev` secret is controlled by the role
associated with an EC2 instance or ECS task.
Using a role helps with the initial credential bootstrapping and allows for
immutability.
-John
[1] https://aws.amazon.com/secrets-manager/
On Thu, Apr 26, 2018 at 1:27 PM, Jack Stewart
<>
wrote:
Everyone,
Thank you all for your wonderful feedback! I hope the discussion continues.
A few thoughts:
- Although Grouper can run with environment variables, it would take a lot of
time to convert, and each major upgrade could possibly be made tricky as a
result. Or am I being too
paranoid?
- I don’t quite see consensus on a clear way forward. All the information
presented here has been helpful, though. I will check what others are doing
locally.
Jack
--
Jack Stewart
Solutions Architect, Identity and Access Management
University of Michigan
4251 Plymouth Road
Ann Arbor, Michigan 48105-3640
(734) 764-0853
On Apr 26, 2018, at 12:39 PM, Hyzer, Chris
<>
wrote:
Fyi grouper config can happen in env vars, also the sources.xml can be
migrated to subject.properties
https://spaces.internet2.edu/display/Grouper/Grouper+configuration+overlay#Grouperconfigurationoverlay-Environmentvariables
https://spaces.internet2.edu/display/Grouper/Grouper+sources.xml+conversion+to+subject.properties
Thanks
Chris
-----Original Message-----
From:
[mailto:]
On Behalf Of Christopher Hubing
Sent: Wednesday, April 25, 2018 1:00 PM
To: Jack Stewart
<>
Cc:
;
csp study grouper
<>
Subject: Re: [grouper-users] Containerized Grouper and Secrets
For I2, we are storing secret things in an encrypted S3 bucket. The
build
host has access to read from it, and then pushes the images to a private
Elastic Container Repo. The containers run in ECS.
Here's an example of our Dockerfile for the UI:
https://github.internet2.edu/gist/chubing/c4e663ab5a39fb73dccdcd748a92c5fe
Since the new Grouper container is pushed to Dockerhub (and have tags
for
patches), it should make it pretty easy to manange (hopefully).
-c
On Wed, 25 Apr 2018, Jack Stewart wrote:
Everyone,
I would like to start out by saying that the new role-based
Grouper containers are great! It was very easy to build the images.
Now my question is, what are other schools doing with regard to their
Grouper configurations? Are you "burning them into" storing them in the
containers
themselves, or are you using
secrets?
Converting an application like Grouper to use secrets would be a
LOT of work. Effectively, you would need to convert all of the settings to
environment
variables. How would you deal with
the sources.xml files which, by design, need to be customized?
Many thanks,
Jack
--
Jack Stewart
Solutions Architect, Identity and Access Management
University of Michigan
4251 Plymouth Road
Ann Arbor, Michigan 48105-3640
(734) 764-0853
--
John Schrader
Identity and Access Management
Office of Information Technologies
University of Notre Dame
EVERYTHING SHOULD BE MADE AS SIMPLE AS POSSIBLE, BUT NOT ANY SIMPLER—ALBERT
EINSTEIN
- Containerized Grouper and Secrets, Jack Stewart, 04/25/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Christopher Hubing, 04/25/2018
- RE: [grouper-users] Containerized Grouper and Secrets, Hyzer, Chris, 04/26/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Jack Stewart, 04/26/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Schrader, 04/29/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Christopher Hubing, 04/30/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Schrader, 04/29/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Jack Stewart, 04/26/2018
- RE: [grouper-users] Containerized Grouper and Secrets, Hyzer, Chris, 04/26/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Greg Haverkamp, 04/25/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Christopher Hubing, 04/25/2018
Archive powered by MHonArc 2.6.19.