Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-13262

Implement the SecretsPropertyResolver from COMMONS-466

    XMLWordPrintable

    Details

    • Story
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Module - Configuration

      Description

      COMMONS-466 added a SecretsProperty resolver that will look up a config parameter from the secrets service. It is expected that there will be a purpose with a label that is equal to the property being looked up. For example, looking up the property

      &{my.property}

      assumes there will be a purpose defined in the secrets.json called

      my.purpose

      . The purpose will look like this

              "mappings": [
                {
                  "secretId" : "my.purpose",
                  "types": [ "GENERIC" ],
                  "aliases": [ "some_alias" ]
                },
      

      IDM currently does not implement the GENERIC secret type, so that will need to be added as well.

      Currently config replacement properties are evaluated in 2 ways:

      1) when a service is activated or modified and the config is passed through the JsonEnhancedConfig, or
      2) when a property is looked up via the IdentityServer class.

      In the second case the most recent secret will always be retrieved. In the first case the services could be using an old stale version of a secret if the secret was rotated after the service was activated or modified. The service will continue to use this stale version of the secret until the service is reactivated or modified. For this resolver to work for rotated secrets the config service will have to periodically check for config changes due to secret rotations and notify the services of the change.

        Attachments

          Activity

            People

            brmiller Brendan Miller
            jason Jason Lemay
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: