Subba Reddy Alamuru created GUACAMOLE-2196:
----------------------------------------------
Summary: OpenBao Vault Integration Extension
Key: GUACAMOLE-2196
URL: https://issues.apache.org/jira/browse/GUACAMOLE-2196
Project: Guacamole
Issue Type: New Feature
Components: guacamole-vault
Reporter: Subba Reddy Alamuru
Add OpenBao Vault integration extension for Apache Guacamole
*Description:*
This enhancement adds a new vault integration extension that enables Apache
Guacamole to retrieve connection credentials from OpenBao
([https://openbao.org/]) at connection time, eliminating the need for users to
manually enter passwords.
*Overview:*
OpenBao is an open-source fork of HashiCorp Vault that provides secrets
management capabilities. This extension integrates Guacamole with OpenBao's KV
v2 secrets engine, automatically retrieving credentials when users connect to
remote desktop sessions.
*Key Features:*
* Automatic credential retrieval from OpenBao KV v2 secrets engine
* Token-based resolution using {{${OPENBAO_SECRET}}} and {{${GUAC_USERNAME}}}
patterns
* Simple configuration via guacamole.properties
* Username-based secret path mapping
* Secure token-based authentication with OpenBao API
* Docker container support with {{OPENBAO_}} environment variable prefix
*Implementation Details:*
The extension follows the existing guacamole-vault-base framework pattern
(similar to the KSM extension) and includes:
* OpenBaoAuthenticationProvider - Main authentication provider
* OpenBaoSecretService - Implements token resolution and secret retrieval
* OpenBaoClient - HTTP client for OpenBao REST API communication
* OpenBaoConfigurationService - Configuration management
* Support classes for directory and attribute services
*Configuration:*
Required properties in guacamole.properties:
{{openbao-server-url:
[http://openbao.example.com:8200|http://openbao.example.com:8200/]}}
{{openbao-token: s.YourTokenHere}}
{{openbao-mount-path: guacamole-credentails }}
{{}}
{{{}{}}}{*}Usage Example:{*}
When creating a connection, use token patterns:
* Username: {{${GUAC_USERNAME}}}
* Password: {{${OPENBAO_SECRET}}}
The extension maps Guacamole usernames to OpenBao secret paths:
{{Guacamole username: "john"}}
{{OpenBao secret path: /v1/guacamole-credentails/data/john}}
*Technical Specifications:*
* Language: Java
* HTTP Client: Apache HttpClient 5.2.1
* JSON Parser: Gson 2.10.1
* Secrets Engine: OpenBao KV v2
* Connection Timeout: 5000ms (hardcoded)
* Request Timeout: 10000ms (hardcoded)
*Files Modified/Added:*
* {{extensions/guacamole-vault/pom.xml}} - Added openbao module
* {{extensions/guacamole-vault/modules/guacamole-vault-openbao/*}} - New
extension module
* {{guacamole-docker/build.d/010-map-guacamole-extensions.sh}} - Added Docker
mapping
*Testing Performed:*
* Successful Maven build with Apache RAT license validation
* Successful compilation with {{-Werror}} flag
* Manual testing with OpenBao dev server
* Verification of token resolution and credential retrieval
*Security Considerations:*
* Uses token-based authentication with OpenBao
* Supports HTTPS for production deployments
* Follows principle of least privilege for token permissions
* Audit logging recommended via OpenBao audit backend
*Documentation:*
Comprehensive README.md included with:
* Installation instructions
* Configuration examples
* Troubleshooting guide
* Security best practices
* Example deployment scenario
*Compatibility:*
* Guacamole Version: 1.6.x
* OpenBao Version: 2.0.0+ (tested with 2.4.4)
* Java Version: 21+
*Benefits:*
* Centralizes credential management in OpenBao
* Reduces password fatigue for end users
* Enables credential rotation without user intervention
* Provides audit trail for credential access
* Follows established Guacamole vault extension patterns
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
