README.md (3743B)
1 ## Nomad ACL 2 The ACL setup is configured manually (not automated): 3 * user of the `userpass` auth method is member of the admin group in OpenBao 4 * admin group of OpenBao translates to Nomad admin role on login, see 5 [auth-method-vault.json](./auth-method-vault.json) 6 * Nomad binding rule connects auth method and role via claim/selector (see 7 Nomad binding rule below) 8 * [admin policy](./policy-admin.hcl) connected to "admin" role in Nomad (see 9 Nomad role config below) 10 11 ## Nomad SSO with OpenBao OIDC provider 12 Nomad SSO is configured with OpenBao OpenID Connect provider. 13 * https://developer.hashicorp.com/nomad/tutorials/archive/sso-oidc-vault 14 * https://write.in0rdr.ch/nomad-authentication-with-openbao 15 16 ## Changes required on node leave/join 17 Update the list of `redirect_uris` when nodes join/leave. 18 * In the OpenBao client (see below) 19 * In the [auth-method-vault.json](./auth-method-vault.json) (see below) 20 21 ### OpenBao OIDC provider and client configuration 22 The OpenBao OIDC provider for Nomad restricts usage to the nomad client: 23 ```bash 24 $ bao read identity/oidc/provider/nomad 25 Key Value 26 --- ----- 27 allowed_client_ids [$OPENBAO_NOMAD_CLIENT_ID] 28 issuer https://vault.in0rdr.ch/v1/identity/oidc/provider/nomad 29 scopes_supported [groups] 30 ``` 31 32 The OpenBao client for Nomad configures the `redirect_uris`: 33 ```bash 34 $ bao read identity/oidc/client/nomad 35 Key Value 36 --- ----- 37 access_token_ttl 1h 38 assignments [nomad-oidc-admin] 39 client_id *** 40 client_secret hvo_secret_*** 41 client_type confidential 42 id_token_ttl 30m 43 key default 44 redirect_uris [http://localhost:4200/ui/settings/tokens http://localhost:4649/oidc/callback https://intel0.lan:4646/ui/settings/tokens https://pi0.lan:4646/ui/settings/tokens https://pi1.lan:4646/ui/settings/tokens https://pi2.lan:4646/ui/settings/tokens https://pi3.lan:4646/ui/settings/tokens https://pi4.lan:4646/ui/settings/tokens] 45 ``` 46 47 To update `redirect_uris`: 48 ```bash 49 $ bao write identity/oidc/client/nomad redirect_uris="comma separated" 50 ``` 51 52 The "assignment" restricts users of OpenBao admin group to use the Nomad client: 53 ```bash 54 $ bao read identity/oidc/assignment/nomad-oidc-admin 55 Key Value 56 --- ----- 57 entity_ids [] 58 group_ids [$OPENBAO_ADMIN_GROUP_ID] 59 ``` 60 61 ### Nomad ACL configuration 62 The auth method in Nomad is configured with 1h TTL for the `NOMAD_TOKENS`. 63 64 ```bash 65 $ nomad acl auth-method info vault 66 Name = vault 67 Type = OIDC 68 Locality = global 69 Max Token TTL = 1h0m0s 70 ... 71 72 OIDC Discovery URL = https://vault.in0rdr.ch/v1/identity/oidc/provider/nomad 73 OIDC Enable PKCE = false 74 List claim mappings = {groups: roles} 75 ... 76 ``` 77 78 The file [auth-method-vault.json](./auth-method-vault.json) is used to 79 configure the Nomad authentication method. 80 81 Prepare variables: 82 ```bash 83 ISSUER=$(curl -s https://vault.in0rdr.ch/v1/identity/oidc/provider/nomad/.well-known/openid-configuration | jq -r .issuer) 84 CLIENT_ID=$(vault read -field=client_id identity/oidc/client/nomad) 85 CLIENT_SECRET=$(vault read -field=client_secret identity/oidc/client/nomad) 86 ``` 87 88 Update the JSON file and apply in Nomad (requires management token): 89 ```bash 90 nomad acl auth-method update -config @auth-method-vault.json vault 91 ``` 92 93 Nomad ACL binding rule creates connection between JWT claim (signed by OpenBao 94 provider) and role: 95 ```bash 96 $ nomad acl binding-rule info $RULE_ID 97 ... 98 Auth Method = vault 99 Selector = "admin in list.roles" 100 Bind Type = role 101 Bind Name = admin 102 ``` 103 104 Nomad ACL role assigns policy: 105 ```bash 106 $ nomad acl role info $ROLE_ID 107 ... 108 Name = admin 109 Policies = admin 110 ```