TLS Auth: extended configuration options

[joemiller]

This is as much a request for ideas as it is a request to change the existing auth/tls module.

Our existing PKI system uses OU like a 'group' (eg: engineer, api, web, etc) and CN like a 'user' (CN=servername.tld, CN=[email protected], CN=myapp). It would be ideal to be able to use the auth/tls backend to obtain a token using these certs with specific policies attached based on the OU and/or CN.

Configuring one of these roles might look something like the following modified example from the existing docs:

$ vault write auth/cert/certs/web \
    display_name=web \
    policies=web,prod \
    ou=web \
    ttl=3600

or

$ vault write auth/cert/certs/joe \
    display_name=joe \
    policies=pki-admin \
    [email protected] \
    ttl=3600

I realize this may be too much of a change for the existing auth/tls module. If there were a plugin system I would just fork the existing module and change it to implement the OU / CN logic.

Are there other way this could be implemented without having to fork and maintain our own Vault code base? Possibly via a wrapping proxy, although I'd like to avoid having to keep state in the proxy which might be difficult.

thanks

[jefferai]

This kind of enhancement has been proposed before, and we're not at all opposed, just lack the time to do it at the moment.

[jefferai]

Some of this now exists, so closing. If more is needed please open specific issue requests or PRs.

[jasonmf]

Can you point to the API docs for how to specify the mapping between subject fields and policies?