Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-13262

Implement the SecretsPropertyResolver from COMMONS-466



    • Story
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Module - Configuration


      COMMONS-466 added a SecretsProperty resolver that will look up a config parameter from the secrets service. It is expected that there will be a purpose with a label that is equal to the property being looked up. For example, looking up the property


      assumes there will be a purpose defined in the secrets.json called


      . The purpose will look like this

              "mappings": [
                  "secretId" : "my.purpose",
                  "types": [ "GENERIC" ],
                  "aliases": [ "some_alias" ]

      IDM currently does not implement the GENERIC secret type, so that will need to be added as well.

      Currently config replacement properties are evaluated in 2 ways:

      1) when a service is activated or modified and the config is passed through the JsonEnhancedConfig, or
      2) when a property is looked up via the IdentityServer class.

      In the second case the most recent secret will always be retrieved. In the first case the services could be using an old stale version of a secret if the secret was rotated after the service was activated or modified. The service will continue to use this stale version of the secret until the service is reactivated or modified. For this resolver to work for rotated secrets the config service will have to periodically check for config changes due to secret rotations and notify the services of the change.




            brmiller Brendan Miller
            jason Jason Lemay
            0 Vote for this issue
            3 Start watching this issue