Allow ephemeral credentials for any configured node type

Node types can be restricted via splunk/roles/*.
By default, any role is allowed ("*")

Fixes TE-102, TE-103

Author: Michael Weber

README.md

@@ -102,6 +102,21 @@ after the configured lease ends, in 5 minutes.  We can use `vault
 lease [renew|revoke]` to manually alter the length of the lease, up to
 the configured maximum time.
 
+For clustered stacks, we create ephemeral credentials for specific nodes:
+
+    $ vault read splunk/creds/local-admin/idx.example.com
+    Key                Value
+    ---                -----
+    lease_id           splunk/creds/local-admin/idx.example.com/u2N97uUVVDw3YVaETB1yRK74
+    lease_duration     30s
+    lease_renewable    true
+    connection         local
+    password           &R1iX5W%$41QGcf^yN2i9%%#tUNf58h!
+    roles              [admin]
+    url                https://idx.example.com:8089
+    username           vault_29079642-4aa1-1979-f402-b3775f2713a7
+
+
 Rotate the Splunk admin password:
 
     vault write -f splunk/rotate-root/local

path_creds_create.go

@@ -12,11 +12,6 @@ import (
 	"github.com/splunk/vault-plugin-splunk/clients/splunk"
 )
 
-const (
-	SEARCHHEAD = "search_head"
-	INDEXER    = "indexer"
-)
-
 func (b *backend) pathCredsCreate() *framework.Path {
 	return &framework.Path{
 		Pattern: "creds/" + framework.GenericNameRegex("name"),
@@ -129,20 +124,23 @@ func (b *backend) credsReadHandlerStandalone(ctx context.Context, req *logical.R
 	return resp, nil
 }
 
-func findNode(nodeFQDN string, hosts []splunk.ServerInfoEntry) (bool, error) {
+func findNode(nodeFQDN string, hosts []splunk.ServerInfoEntry, roleConfig *roleConfig) (bool, error) {
 	for _, host := range hosts {
 		// check if node_fqdn is in either of HostFQDN or Host. User might not always the FQDN on the cli input
 		if host.Content.HostFQDN == nodeFQDN || host.Content.Host == nodeFQDN {
-			// Return true if the requested node is a search head
+			// Return true if the requested node type is allowed
+			if strutil.StrListContains(roleConfig.AllowedNodeTypes, "*") {
+				return true, nil
+			}
 			for _, role := range host.Content.Roles {
-				if role == SEARCHHEAD {
+				if strutil.StrListContainsGlob(roleConfig.AllowedNodeTypes, role) {
 					return true, nil
 				}
 			}
-			return false, fmt.Errorf("host: %s isn't search head; creating ephemeral creds is only supported for search heads", nodeFQDN)
+			return false, fmt.Errorf("host %q does not have an allowed node type", nodeFQDN)
 		}
 	}
-	return false, fmt.Errorf("host: %s not found", nodeFQDN)
+	return false, fmt.Errorf("host %q not found", nodeFQDN)
 }
 
 func (b *backend) credsReadHandlerMulti(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
@@ -181,7 +179,7 @@ func (b *backend) credsReadHandlerMulti(ctx context.Context, req *logical.Reques
 		b.Logger().Error("Error while reading SearchPeers from cluster master", err)
 		return nil, errwrap.Wrapf("unable to read searchpeers from cluster master: {{err}}", err)
 	}
-	_, err = findNode(nodeFQDN, nodes)
+	_, err = findNode(nodeFQDN, nodes, role)
 	if err != nil {
 		return nil, err
 	}
@@ -207,7 +205,6 @@ func (b *backend) credsReadHandlerMulti(ctx context.Context, req *logical.Reques
 	if err != nil {
 		return nil, errwrap.Wrapf("error generating new password: {{err}}", err)
 	}
-	conn.Params().BaseURL = nodeFQDN
 	opts := splunk.CreateUserOptions{
 		Name:       username,
 		Password:   passwd,

path_roles.go

@@ -35,6 +35,14 @@ func (b *backend) pathRoles() *framework.Path {
 				Type:        framework.TypeCommaStringSlice,
 				Description: "Comma-separated string or list of Splunk roles.",
 			},
+			"allowed_node_types": &framework.FieldSchema{
+				Type: framework.TypeCommaStringSlice,
+				Description: trimIndent(`
+				Comma-separated string or array of node type (glob) patterns that are allowed
+				to fetch credentials for.  If empty, no nodes are allowed.  If "*", all
+				node types are allowed.`),
+				Default: []string{"*"},
+			},
 			"default_app": &framework.FieldSchema{
 				Type: framework.TypeString,
 				Description: trimIndent(`
@@ -114,6 +122,9 @@ func (b *backend) rolesWriteHandler(ctx context.Context, req *logical.Request, d
 	if maxTTLRaw, ok := getValue(data, req.Operation, "max_ttl"); ok {
 		role.MaxTTL = time.Duration(maxTTLRaw.(int)) * time.Second
 	}
+	if allowed_node_types, ok := getValue(data, req.Operation, "allowed_node_types"); ok {
+		role.AllowedNodeTypes = allowed_node_types.([]string)
+	}
 	role.PasswordSpec = DefaultPasswordSpec() // XXX make configurable
 
 	if roles, ok := getValue(data, req.Operation, "roles"); ok {

role.go

@@ -11,9 +11,10 @@ import (
 )
 
 type roleConfig struct {
-	Connection string        `json:"connection" structs:"connection"`
-	DefaultTTL time.Duration `json:"default_ttl" structs:"default_ttl"`
-	MaxTTL     time.Duration `json:"max_ttl" structs:"max_ttl"`
+	Connection       string        `json:"connection" structs:"connection"`
+	DefaultTTL       time.Duration `json:"default_ttl" structs:"default_ttl"`
+	MaxTTL           time.Duration `json:"max_ttl" structs:"max_ttl"`
+	AllowedNodeTypes []string      `json:"allowed_node_types" structs:"allowed_node_types"`
 	PasswordSpec     *PasswordSpec `json:"password_spec" structs:"password_spec"`
 
 	// Splunk user attributes