Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Access control to restrict groups of users to specified paths
See original GitHub issueFrom @gdenn on October 13, 2017 7:25
Feature Request
Problem
We access the same credhub with multiple users through the credhub cli. But i don’t want everyone to see all the variables in the credhub. E.g. we have credentials only relevant for specific Concourse Pipelines, credentials needed by an Administrator for our bosh deployment or simple credentials that help apps to access their dashboard.
As we are redeploying our bosh from time to time to include new features, it is important to us that the different people can access their passwords without conducting a system administrator. But on the other hand we don’t want to expose all credentials to everyone.
Solution
credhub cli could support different user groups. Each group gets e.g. access to a certain set of credentials that match a prefix. For our Concourse users this prefix would be /concourse.
With the different user groups i could create user accounts with only the access permissions i am comfortable to give.
best
Copied from original issue: cloudfoundry-incubator/credhub-cli#19
Issue Analytics
- State:
- Created 6 years ago
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Similar to this, there is an issue where we’d like to allow multiple Concourse teams to self-serve effectively. Giving them the rights to manage their own credentials without accessing other teams’ credentials would be a big step towards achieving that.
Otherwise we have to restrict access to CredHub and there’s a bottleneck in teams wanting to maintain their own pipelines. Credentials then have to be transmitted from different teams to those with access to CredHub which increases the surface area for an attacker trying to steal credentials.
@jagadish-kb If the permissions aren’t being respected it’s probably because ACL’s aren’t being enabled. See the spec file for information on how to enable this. Prior to 2.0 this was not enabled by default.
These issues seem to be addressed in CredHub 2.0- you can now specify permissions on namespaces of credentials. See the release notes for more information.