Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-13262

Implement the SecretsPropertyResolver from COMMONS-466

    Details

    • Type: Story
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Module - Configuration
    • Labels:

      Description

      COMMONS-466 added a SecretsProperty resolver that will look up a config parameter from the secrets service. It is expected that there will be a purpose with a label that is equal to the property being looked up. For example, looking up the property

      &{my.property}

      assumes there will be a purpose defined in the secrets.json called

      my.purpose

      . The purpose will look like this

              "mappings": [
                {
                  "secretId" : "my.purpose",
                  "types": [ "GENERIC" ],
                  "aliases": [ "some_alias" ]
                },
      

      IDM currently does not implement the GENERIC secret type, so that will need to be added as well.

      Currently config replacement properties are evaluated in 2 ways:

      1) when a service is activated or modified and the config is passed through the JsonEnhancedConfig, or
      2) when a property is looked up via the IdentityServer class.

      In the second case the most recent secret will always be retrieved. In the first case the services could be using an old stale version of a secret if the secret was rotated after the service was activated or modified. The service will continue to use this stale version of the secret until the service is reactivated or modified. For this resolver to work for rotated secrets the config service will have to periodically check for config changes due to secret rotations and notify the services of the change.

        Attachments

          Activity

            People

            • Assignee:
              brmiller Brendan Miller
              Reporter:
              jason Jason Lemay
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: