Credential Store Provider encapsulates logic required to retrieve credential credentials from a specific type of store. There are few providers available out of box, and you can define custom implementations using either Java class or Groovy script. Provider will define properties necessary to connect to credential store as well inputs necessary for each credential.
Here are out of box credential store providers. You can view this screen by clicking on the Providers button on the Credentials page (Administration - Security - Credentials)
Local credential store retrieves credentials from FlexDeploy database, credentials are encrypted in FlexDeploy database. You can view details on other credential store providers on Credential Store page. Credential Store Providers screen allows you to view details on out of box providers as well, but you are not allowed to change out of box credential store providers. You can create additional credential store providers as necessary.
Here is how HashiCorp Vault provider is setup in FlexDeploy. Note that it comes up Java Implementation for retrieval of credentials.
What is involved in defining credential store provider?
- Provide high level details like name and description.
- Define credential store properties. Properties are configuration values that will be utilized to connect to credential store, which is reused to retrieve all credentials for one instance of credential store. Properties are optional as all access details might be coded in API implementation.
- If you define properties, you can indicate display and validation details. You can also indicate if property is required and/or encrypted.
- When credential store is created based on Provider, user will have to define values for all required properties.
- Define credential inputs. You must have at least one input. Inputs are defined for each credential. For example, inputs to retrieve Endpoint1 password might be different than Endpoint2 password.
- If you define properties, you can indicate display and validation details. You can also indicate if property is required and/or encrypted.
- When user defines credential for a store which is based on specific provider, they will need to provide values for inputs defined by provider.
- Provide either Java Implementation of Groovy API.
Let's define example credential store provider, so we can easily explain concepts. You can provide implementation as Java class or just Groovy script. Groovy script would allow for dynamic update but use of Java code will require restart of server.
Here we are creating custom provider with one input, you can add more as necessary.
We will also just configure one input for this example, you can add more as necessary.
Now let's put some Groovy code to retrieve credential. This example just shows procedural steps, you will first connect to credential store then retrieve and return credential value from this script.
API Implementation
Implementation will use Properties and Inputs to retrieve specific credential. API is invoked for each credential lookup. You will simply connect to external credential store using property values and retrieve credential using inputs provided in api call.
Java Implementation
Here are high level steps for Java implementation. You can use any IDE to prepare this implementation.
- Create java class that extends flexagon.fd.model.integration.credstore.CredentialStore. See example below.
- In order to compile your java class, you will need FlexDeployAPI.jar on classpath.
- Implement getSecret method to return secret value for inputs provider in Map<String, Serializable> method input.
- String key for the map is Input Name configured on credential store provider screen.
- Serializable value for each map item is value configured for specific input. You will receive data types like String, Boolean, Double and Integer.
- You can use property values by invoking getCSInstanceProperties() method which will return Map<String, Serializable> representing property values configured for credential store. Similar to inputs, this map has property name for key.
- If you encounter an issue with accessing credential store you can throw exception. For example, throw new ApiException("Failed to get credential", e);
- Once you are ready with unit testing, you can prepare Jar file for your credential store java class and other utility classes. This jar file can be placed on server classpath now.
- For Tomcat, put this jar file in apache-tomcat-flexdeploy/lib folder.
- For WebLogic, put this jar file in Domain lib folder.
- If you are using any third party libraries from your Java implementation, then those jar files will also need to be added to same lib folder. Keep in mind that this can cause issues with server functioning, so be prepared to remove your additional library files.
Groovy Implementation
Groovy implementation is very simple. You can reference properties and values by their defined names. For example, Property Name and Input Name defined on credential store provider. Use these values to retrieve credential. FlexDeploy will optimize compilation of groovy script, but it will be executed for every credential access.
You can raise exception if failure occurs.
Tip |
---|
As groovy is able to access Java classes, you can take advantage of Java libraries from Groovy script. For example, if there is Java library available for specific credential store, you can places those in lib folder and use those classes from Groovy script. This allows you to keep dynamic part of implementation in Groovy and use Java library. |