grouper-study - Re: [grouper-users] Containerized Grouper and Secrets
Subject: grouper-study
List archive
- From: John Gasper <>
- To: Jack Stewart <>
- Cc: John Schrader <>, "Hyzer, Chris" <>, Christopher Hubing <>, "" <>, csp study grouper <>
- Subject: Re: [grouper-users] Containerized Grouper and Secrets
- Date: Wed, 09 May 2018 20:44:13 -0700
- Arc-authentication-results: i=1; mx.umich.edu; iprev=pass policy.iprev=54.71.156.226 (zimbra.unicon.net); spf=pass ; dkim=none; dmarc=bestguesspass ; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; d=umich.edu; s=arc-2017-08-04; t=1525923858; c=relaxed/relaxed; bh=PkioJeVMN6OcBYoF1+PBDq+2rZ9+ekN4j+D3UXrnaxY=; h=Date:Subject:From:To:CC:References:In-Reply-To; b=ZZ1BvUYejsXojOT8UJE0ns1O25scfQJFYduzkXlxUBu0xO3xwMVXb16YvwXbAQ3Hu5CBVmCrYzLzrMqyDdMP9vqtnqxIkzvx3BmNzYfhM1Yly8UHp+JKDaiLNa2eY5jYK8N38oscggQNaJf4UIaknXFBBGZ/1GdK0sZlo//2lKDDgyREveYH3jbX9mzAVQKncCTp69s+DHDx1YNcqCCO3yGNepZqs4zmjO1qj3LhjQF7X1LYWX8+YImJ7QtU/Ee/dtqWmwCZAwpsbAO1eNT74dA3hlDBFIDfjvuG9y7yncp926sRwpANzOsY8V3Ir8Fwikr15J4F4vcJyqYvuYoDxg==
- Arc-seal: i=1; a=rsa-sha256; d=umich.edu; s=arc-2017-08-04; t=1525923858; cv=none; b=KM8aspcy+avgIDSuQtS/vI7rp0AuT7Ao1I0JpGb4GQ1MfIKKcefDy+LV2a2M6G9B3YHCs0zov27a+YHcguvOSLln4eU6DbMIBnoEAuG4/Nv0WzI01WpyOnL8/T+307zxmg+PuWdlz2qTe0DJ5NsJssNaa8uGJOzByKrnK8eUIUM8jww+UNZ62MYFqeYlaYC7c1v2xdLxQwdBp9I4KY7AHTFN+s+xriTjsmmC0tBuMZwEBP1cBSjKmmNTpk683ISTzXkqbja916aw21hUHNxFs4NixfMGkKgPFx2Uvb5PvPxBJBg5Qlz3Jrts0xPPXOoN5tkNvHbPdk3NXIbl/VUbjw==
- Ironport-phdr: 9a23:gDppsRNMUz8m6VqM9mcl6mtUPXoX/o7sNwtQ0KIMzox0K/37psbcNUDSrc9gkEXOFd2Cra4c0KyO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUijexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsheWSJcDI28cYUBDOQBMuRXoIbhvFYBtweyBQy2Ce/z0DJFhHn71rA63eQ7FgHG2RQtEdYJsHTUqtX+KaYcXvquzKnQ0zrDde5d1DD/6IjHaB8huumMUqxqccfK1EkvEQLFgUmXqYzjJT+V0PoCs3SC4udmSOmhhWknqwRrrTiuwMchkpTJhpgRylze7iV5xZ45JdK/SE58bt6kFIVfuzuGOItxR8MuW3pouDs8yrIYup60YiwKyJA5yB7FcfCIbouI7gr5W+aUOzh5hXVleLSlixmu9kigz/XwVsiy0FZWsCVFiN/MuW4R1xDN8MSIVOZy/lq51TaXzQ/T8fpEIE4zlarBNpEt2KUwlp8LvUTYACD5hF/2g7GKdkU//+in8eLnba/pppCCLY94kBv+Pbo0lcOiGeg4PQkOX3Sb+eShz7Lv51H2QLJPjvEuj6nZq47VJd4dpqGjBg9azJwv6w26Dzqgzd8WnmEHIUpLdR+HlYTlJlDDLO3iAfuhg1mhny1ny+3FM7DiGpnAL3rOnK38cbpg90JQ0hQ/wc1d6p5OF70MLuz/V0nsv9LCFBA5KRa7w+P/BdV9yIweXWWPD7eFMKPItl+I+/kgI+2Sa4AIoTr9NeUl5/3pjXAknV8SZ6qp0YEJZ3C3BPRpPV6ZYWH2jtgbC2sKuxAxTO3uiFGYTD5TYneyUL485j0hFo2pEJrDSpisgLyHwii7AoVba25GB1yWDHvldpiIV+0SZC+SLcJtiCEIWLuiRoM50BGhrg76y75pLurO/S0YsIru28Ru5+3Ljx0y7iB0D9mA3GCNVW10kXkIRzgr3KBnv0N90E6P3rZig/xCEtxT/ehJXxwnNZ7Zzux1F9DyVhjfcdiUVVaqWs+mDi0pTtIt398OZF5wG9q4jhDEwiqqG6Eal6aSCJwv7qLcwmX+JsZmxnbC1akhlEUmQtBROWG8h65/8RTTCJDTk0WfiamqaboQ0DTT+2ie0Grd9H1fBSx5WqaNZmwSeULMsZyt40HZU7KxIakiMwBBj8OON/0ZRMfuiABkQ/flcPvXeHq8gS/kBxmB3auBdqL3fWQW2yObDkUYxVNAtU2aPBQzU3/y61nVCyZjQBe2Oxvh
Hi Jack, We’ve got lots of variables at play here. First, Docker Swarm (which is the TIER reference), K8, AWS ECS, etc. all work Docker Secrets and Configs differently. Second, grouper configs (and embedded secrets) are everywhere… grouper.hibernate.properties, subject.properties, sources.xml, ldap.properties, grouper-loader.properties. Ideally, we could just pass in grouper database settings and all the other info would come from the database. Done! Third, (I’ve deployed many Grouper deployments) everyone is really different. Multiple subject sources, multiple loader sources, many provisioning targets… There are a lot of combinations, and anything other than a very simple env necessarily require modifying many of the previously mentioned files. It can’t be templated very easily. I’m working with a client right now who has duplicated subject, loader, and provisioning targets with differing connection strings, connection account credentials, base DNs, etc. So almost none of the config is baked into the image because everything changes between test and prod, and it is all stored in Docker Secrets and Configs. Here’s a sample of their Swarm secrets and configs: $ docker secret ls ID NAME DRIVER CREATED UPDATED i8vczzgpxfx29i0nxmgt6tls9 grouper-loader-2.properties 7 days ago 7 days ago p6g3inpg9jh0zwqbvz38fzcmf grouper-loader.properties 13 days ago 13 days ago vdmz5t01itc3kuk35hnchbecr grouper.hibernate.properties 2 weeks ago 2 weeks ago n69ag5l04jbcz6vv6g5ut76vq host-key.pem 2 weeks ago 2 weeks ago pf1wnp97ioaiv1m9ykq0qnh7r ldap-2.xml 7 days ago 7 days ago tzzi9tbxm1voeiyjsf6pc9lcw ldap.xml 12 days ago 12 days ago jdvlchztqj270koxd1t0m8znr sp-key.pem 13 days ago 13 days ago uncnezdbqrs41fqd02dntn970 subject-2.properties 5 days ago 5 days ago zvpgp9iztfcslpjxj4wgt5twy subject-3.properties 5 days ago 5 days ago 2z2jrwxneq5a9epr2ikhz37el subject.properties 13 days ago 13 days ago $ docker config ls ID NAME CREATED UPDATED e81oi8bo91g2pzffai4ptqhb2 host-cert.pem 2 weeks ago 2 weeks ago kxmw0mvrcslgr5q31h8iztea9 shibboleth2.xml 13 days ago 13 days ago lmw7n0ya1apuau9h1hrg7rk49 sp-cert.pem 13 days ago 13 days ago You’ll notice that some of the items are “versioned”. Swarm doesn’t let you update secrets themselves. You add new ones and update the service to drop the old secret and re-map the new. That may sound painful, but being able to call “docker service rollback ui” and have it revert your configs is pretty cool. I’ve been building a Kubernetes deployment config. Check my next email to the list for details about that. But it’s K8’s secrets and configs is more flexible in some regards and a pain in the butt in others. It expects to set the config files of the entire directory… heaven forbid you don’t want to wipe out the other files in classes/ or conf/. You have to jump through some hurdles to replace only one file at a time… And don’t you dare try to map something into /run/secrets (where Docker Swarm does it), it freaks out. You have to map them into /var/run/secrets/ which gets linked back to /run/secrets. BTW, this all took me about 4 or 5 hours to figure out as it isn’t well documented… (Most K8 people don’t have to worries about using /run/secrets, but we are working with Swarm as the primary target and that is what it does.) So I think the cleaner solution is for someone at Global Summit to buy the Grouper dev team breakfast, lunch, and dinner tomorrow and ask them to centralize the configs into the database. Yes, this has problems too, but it’s a step in the right direction.
From: <> on behalf of Jack Stewart <> Everyone, Again, this is a great discussion! I guess I've stepping around it this question, but I'll ask it directly: when will the Grouper containers be delivered by TIER in such a way that the configuration files and/or individual configuration parameters can easily be converted to secrets? I've been trying to make the point that if we have to tear into every one of the Grouper configuration files and convert them over to our secrets management system, even if it's only during major upgrades, that's a lot of work. I recently heard that the Grouper containers would be made to be more "Kubernetes friendly" soon. Is this what was meant? Thanks, Jack On Mon, May 7, 2018 at 12:21 PM, John Gasper <> wrote:
-- Jack Stewart Solutions Architect, Identity and Access Management University of Michigan 4251 Plymouth Road Ann Arbor, Michigan 48105-3640 (734) 764-0853 |
- Re: [grouper-users] Containerized Grouper and Secrets, John Gasper, 05/01/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Gasper, 05/07/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Jack Stewart, 05/08/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Gasper, 05/10/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Jack Stewart, 05/10/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Gasper, 05/10/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Jack Stewart, 05/08/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Gasper, 05/07/2018
Archive powered by MHonArc 2.6.19.