-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathhtgettoken.1
409 lines (399 loc) · 11.8 KB
/
htgettoken.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
.TH htgettoken 1
.SH NAME
htgettoken \- get OIDC bearer tokens by interacting with Hashicorp vault
.SH SYNOPSIS
.B htgettoken
.RI [ OPTION ]...
.SH DESCRIPTION
.B htgettoken
gets OIDC bearer tokens by interacting with a Hashicorp vault server
configured for retrieving and storing OIDC refresh tokens. By default
it attempts to authenticate first using kerberos if it is available,
next tries using ssh-agent if it is available, and if neither
enables reading a bearer token then it uses OIDC authentication
including directing users to their web browsers to complete the
authentication. If that authentication is successful,
.B htgettoken
accepts the refresh token (which is only usable with the client secret
known only to vault) and stores it back into an oauth secrets path in
vault. It then reads back from the same secrets path to retrieve a
bearer access token and stores that in a file. A vault token is also
stored in a file so authentication doesn't have to be redone every time.
By default the vault token lasts a week.
.SH OPTIONS
.PP
.TP
.B \-\-version
Show the program's version number and exit.
.TP
.BR \-h , \ \-\-help
Show a help message and exit.
.TP
.BR \-v , \ \-\-verbose
Show detailed progress reports instead of the default concise reports.
Reports are sent to stdout unless
.I \-\-vaulttokenfile
is /dev/stdout or
.I \-\-showbearerurl is enabled; in those cases reports are sent to stderr.
.TP
.BR \-d , \ \-\-debug
Shows debug reports. Implies
.IR \-v .
Be aware that this writes a lot of output.
.TP
.BR \-q , \ \-\-quiet
Do not output any progress reports or error messages.
.TP
.BR \-s\ HostOrURL , \ \-\-optserver=HostOrURL
The server host name or URL with default htgettoken options. If it is
just a host name, the URL read is
.RS
.RS
https://hostname/htgettokenopts.txt
.RE
otherwise the whole URL is read.
See also HTGETTOKENOPTS in the ENVIRONMENT section below.
.RE
.TP
.BR \-a\ HostOrURL , \ \-\-vaultserver=HostOrURL
The vault server name or URL. If it is just a host name, the URL
read is
.RS
.RS
https://hostname:8200
.RE
otherwise the whole URL is used. This is the only required option.
.RE
.TP
.BR \-\-vaultalias=HostOrURL
The vault cluster name. This is mainly useful for debugging,
for example when multiple vault servers in a cluster are serving the
same name and the address of a single server is supplied with
.IR \-\-vaultserver .
The
.I \-\-vaultalias
is then used when communicating with the name defined in the cluster,
for example for kerberos. Default is the same as
.IR \-\-vaultserver .
.TP
.BR \-\-vaultcertname=Host
The vault https certficate name. This is mainly useful when testing
and the name in the host certificate does not match the name used to
access the server. Default is the same as the host name part of
.IR \-\-vaultserver .
.TP
.BR \-i\ issuername , \ \-\-issuer=issuername
The name of the OIDC token issuer, as configured in the vault server.
The default issuer name is "default".
.TP
.BR \-r\ rolename , \ \-\-role=rolename
The name of the issuer role, as configured in the vault server. The
default role name is "default". Different roles for the same issuer
map to different token scopes as configured in vault.
.TP
.BR \ \-\-nokerberos
Do not attempt to use kerberos authentication.
.TP
.BR \-\-kerbpath=vaultpath
The path in vault for kerberos authentication. The default is
.RS
.RS
auth/kerberos-%issuer_%role
.RE
.RE
.TP
.BR \-\-kerbprincipal=principal
Principal to use for kerberos authentication. The principal has to be
among those cached on the current machine when a cache collection is
available, for example when $KRB5CCNAME begins with "DIR:". The default
is the currently selected principal. See the
.B kswitch
command and the "-l" option of the
.B klist
command for more information.
.TP
.BR \ \-\-nooidc
Do not attempt to do OIDC authentication.
.TP
.BR \-\-oidcpath=vaultpath
The path in vault for doing OIDC authentication. The default is
.RS
.RS
auth/oidc-%issuer/oidc
.RE
where %issuer is the value from the
.I \-\-issuer
option.
.RE
.TP
.BR \ \-\-nossh
Do not attempt to do ssh-agent authentication.
.TP
.BR \-\-sshpath=vaultpath
The path in vault for doing ssh-agent authentication. The default is
.RS
.RS
auth/ssh
.RE
.RE
.TP
.BR \ \-\-registerssh
Register all public keys available from
.B ssh-agent
with vault for future use. This forces OIDC authentication even if a
valid vault token is already available and does the normal OIDC flow and
then registers the public keys before storing the vault token and access
token. Must be allowed in the configuration of the vault server in
order to work.
.TP
.BR \-c\ path , \ \-\-configdir=path
The path to a directory to save
.B htgettoken
configuration information.
.TP
.BR \-\-credkey=key
The key to use in the vault secretpath (see next option) when accessing
the bearer token. Normally this is read from OIDC authentication and
automatically stored in a file to be used by later invocations of
.BR htgettoken .
The name of the file that the key is stored in when
.I \-\-credkey
is
.B not
specified on the command line is
.RS
.RS
%configdir/credkey-%issuer-%role
.RE
where each of the % variables are replaced by the values of the
corresponding options.
.RE
.TP
.BR \-\-secretpath=vaultpath
The path in vault for accessing the bearer token. The default is
.RS
.RS
secret/oauth-%issuer/creds/%credkey:%role
.RE
where each of the % variables are replaced by the values of the
corresponding options.
.RE
.TP
.B \-\-vaulttokenttl=time
The time for vault tokens to live before they expire. The time is a
number followed by 's' for seconds, 'm' for minutes, 'h' for hours,
or 'd' for days. The maximum is determined by the vault configuration
which is typically '28d'. The default is '7d'.
.TP
.B \-\-vaulttokenminttl=time
The minimum allowed time remaining in the lifetime of an existing vault
token before it expires. If there is not enough time remaining it will
not be reused and a new one will be obtained instead. The time is a
number followed by 's' for seconds, 'm' for minutes, 'h' for hours,
or 'd' for days. Must be less than the value of
.IR \-\-vaulttokenttl .
The default is no minimum.
.TP
.BR \-\-vaulttokenfile=path
The path to save vault tokens. If the value of
.I \-\-vaultokenttl
is 1 million seconds or less (about 11.5 days), then the default is
.RS
.RS
/tmp/vt_u%uid
.RE
otherwise it is /dev/stdout. If the path contains %uid it is replaced
with the current effective user id. If the value of
.I \-\-vaultokenttl
is greater than 1 million seconds then the path is required to start
with /dev/std or /dev/fd in order to adhere to IGTF security policies
requiring user credentials that last longer than that to not be stored
unencrypted.
.RE
.TP
.B \-\-vaulttokeninfile=path
The path to read vault tokens from. Defaults to %vaulttokenfile which
is replaced by the value of the
.I \-\-vaulttokenfile
option. May contain %uid which is replaced with the current effective
user id. If the path starts with /dev/std or /dev/fd then the incoming
vault token is exchanged for a new one with the requested ttl (or the
time remaining on the incoming token if that is less). In this way a
script can request a long duration token, never store it on disk, and
exchange it for a shorter duration token by calling htgettoken again.
.TP
.B \-\-showbearerurl
Print the full vault API bearer token URL to stdout. This is intended
for easy use by a separate application that always has a valid vault
token and only needs to be able to get new bearer tokens and doesn't
need the rest of the
.B htgettoken
functionality.
.TP
.B \-\-nobearertoken
Skip getting a bearer token; only get a vault token.
.TP
.BR \-o\ path , \ \-\-out=path
The path of the file used to store the bearer token on the local
machine. The default is $BEARER_TOKEN_FILE. If that is not set
but $XDG_RUNTIME_DIR is set, then the default is
.RS
.RS
$XDG_RUNTIME_DIR/bt_u%uid
.RE
where %uid is the current effective user id.
.br
If $XDG_RUNTIME_DIR is also not set, then the default is
.RS
/tmp/bt_u%uid
.RE
.RE
.TP
.B \-\-minsecs=seconds
The minimum number of seconds before a cached bearer token in vault
expires in order to reuse it instead of fetching a new one.
This feature is intended to reduce the load on token issuers while
leaving enough time for a token to still be usable.
The default is 60.
.TP
.B \-\-scopes=scopes
A comma- or space-separated list of scopes to request for a bearer token.
This should be a subset of the scopes that come by default in the token.
It uses token exchange with the token issuer, and the result is not cached
in vault; instead, vault exchanges the cached token for the new one.
.TP
.B \-\-audience=audience
A comma- or space-separated list of more restricted audiences for the token.
Like the
.I \-\-scopes
option, this uses token exchange with the token issuer.
.TP
.B \-\-cafile=file
The path to a file containing a bundle of Certifying Authority (CA)
certificates.
These will be used to verify the validity of https connections.
The default is
.RS
.RS
/etc/pki/tls/cert.pem
.RE
or, if that doesn't exist, the default is
.RS
/etc/ssl/certs/ca-certificates.crt
.RE
.RE
.TP
.B \-\-capath=path
The path to a directory containing Certifying Authority (CA) certificates.
These will be used in addition to the
.I \-\-cafile
certificates to verify the validity of https connections.
The default is $X509_CERT_DIR if it is set, or otherwise the default is
.RS
.RS
/etc/grid-security/certificates
.RE
.RE
.TP
.B \-\-web-open-command=command
The command to run to open a web URL. The default is no command if
$SSH_CLIENT is set, otherwise the default is
.BR xdg-open .
If no command is defined then the user will be prompted to open the
URL manually. See also the BROWSER environment variable below.
.SH "ENVIRONMENT"
The following optional environment variables affect the operation of
.BR htgettoken .
.TP
.B "BEARER_TOKEN_FILE"
Default location for the bearer token on the local disk.
For more details see the
.I \-\-outfile
option.
.TP
.B "BROWSER"
Colon-separated list of web browsers that
.B xdg-open
will attempt to invoke if it is the selected web open command.
The default is no browser if the DISPLAY
environment variable is not set; otherwise, the default is a list of
common web browsers as defined by the xdg-open command, excluding
those that are command-line only.
.TP
.B "HTGETTOKENOPTS"
Default options. These options override any conflicting options from
the optserver, but are overridden by any conflicting options from the
command line.
.TP
.B "KRB5CCNAME"
Location of a kerberos 5 credentials (ticket) cache.
.TP
.B "SSH_AUTH_SOCK"
If set, points to a socket that can be used to communicate with
.BR ssh-agent .
This is automatically created by
.B ssh-agent
and can be automatically forwarded by
.B ssh
with a "ForwardAgent=yes" option. To add a key to the agent use
.BR ssh-add .
.TP
.B "SSH_CLIENT"
If set, there is no default web open command. If not set, the default
web open command is
.BR xdg-open .
.TP
.B "XDG_RUNTIME_DIR"
Default directory for the bearer token if $BEARER_TOKEN_FILE is not set.
For more details see the
.I \-\-outfile
option.
.TP
.B "X509_CERT_DIR"
Default directory for CA certificates. See also the
.I \-\-capath
option.
.SH EXAMPLES
.PP
To get a new access token for an issuer called "dune" from a vault
server while showing all intermediate steps:
.PP
.RS
.nf
htgettoken -v -a htvault.example.com -i dune
.fi
.RE
.PP
To read default options from a server (which includes an issuer and
vault server and possibly other options) while choosing the "prod"
role:
.PP
.RS
.nf
htgettoken -s htduneopts.fnal.gov -r prod
.fi
.RE
.PP
To always have a default vault address:
.PP
.RS
.nf
export HTGETTOKENOPTS="-a htvault.example.com"
.fi
.RE
.SH "EXIT VALUES"
.TP
.B 0
Success
.TP
.B 1
All fatal errors other than usage errors
.TP
.B 2
Usage error
.SH AUTHOR
Dave Dykstra
.SH COPYRIGHT
Copyright \(co 2020 Fermi National Accelerator Laboratory
.SH "SEE ALSO"
htdecodetoken(1), htdestroytoken(1), httokensh(1)