[
https://issues.apache.org/jira/browse/GUACAMOLE-2196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Subba Reddy Alamuru updated GUACAMOLE-2196:
-------------------------------------------
Description:
Add OpenBao Vault integration extension for Apache Guacamole
*Description:*
This enhancement adds a new vault integration extension that enables Apache
Guacamole to retrieve connection credentials from OpenBao
([https://openbao.org/]) at connection time, eliminating the need for users to
manually enter passwords.
*Overview:*
OpenBao is an open-source fork of HashiCorp Vault that provides secrets
management capabilities. This extension integrates Guacamole with OpenBao's KV
v2 secrets engine, automatically retrieving credentials when users connect to
remote desktop sessions.
*Key Features:*
* Automatic credential retrieval from OpenBao KV v2 secrets engine
* Token-based resolution using {{{}$\{OPENBAO_SECRET{}}}} and
{{{}$\{GUAC_USERNAME{}}}} patterns
* Simple configuration via guacamole.properties
* Username-based secret path mapping
* Secure token-based authentication with OpenBao API
* Docker container support with {{OPENBAO_}} environment variable prefix
*Implementation Details:*
The extension follows the existing guacamole-vault-base framework pattern
(similar to the KSM extension) and includes:
* OpenBaoAuthenticationProvider - Main authentication provider
* OpenBaoSecretService - Implements token resolution and secret retrieval
* OpenBaoClient - HTTP client for OpenBao REST API communication
* OpenBaoConfigurationService - Configuration management
* Support classes for directory and attribute services
*Configuration:*
Required properties in guacamole.properties:
{{openbao-server-url:
[http://openbao.example.com:8200|http://openbao.example.com:8200/]}}
{{openbao-token: s.YourTokenHere}}
openbao-mount-path: guacamole-credentails
*Usage Example:*
When creating a connection, use token patterns:
* Username: {{{}$\{GUAC_USERNAME{}}}}
* Password: {{{}$\{OPENBAO_SECRET{}}}}
The extension maps Guacamole usernames to OpenBao secret paths:
{{Guacamole username: "john"}}
{{OpenBao secret path: /v1/guacamole-credentails/data/john}}
*Technical Specifications:*
* Language: Java
* HTTP Client: Apache HttpClient 5.2.1
* JSON Parser: Gson 2.10.1
* Secrets Engine: OpenBao KV v2
* Connection Timeout: 5000ms (hardcoded)
* Request Timeout: 10000ms (hardcoded)
*Files Modified/Added:*
* {{extensions/guacamole-vault/pom.xml}} - Added openbao module
* {{extensions/guacamole-vault/modules/guacamole-vault-openbao/*}} - New
extension module
* {{guacamole-docker/build.d/010-map-guacamole-extensions.sh}} - Added Docker
mapping
*Testing Performed:*
* Successful Maven build with Apache RAT license validation
* Successful compilation with {{-Werror}} flag
* Manual testing with OpenBao dev server
* Verification of token resolution and credential retrieval
*Security Considerations:*
* Uses token-based authentication with OpenBao
* Supports HTTPS for production deployments
* Follows principle of least privilege for token permissions
* Audit logging recommended via OpenBao audit backend
*Documentation:*
Comprehensive README.md included with:
* Installation instructions
* Configuration examples
* Troubleshooting guide
* Security best practices
* Example deployment scenario
*Compatibility:*
* Guacamole Version: 1.6.x
* OpenBao Version: 2.0.0+ (tested with 2.4.4)
* Java Version: 21+
*Benefits:*
* Centralizes credential management in OpenBao
* Reduces password fatigue for end users
* Enables credential rotation without user intervention
* Provides audit trail for credential access
* Follows established Guacamole vault extension patterns
was:
Add OpenBao Vault integration extension for Apache Guacamole
*Description:*
This enhancement adds a new vault integration extension that enables Apache
Guacamole to retrieve connection credentials from OpenBao
([https://openbao.org/]) at connection time, eliminating the need for users to
manually enter passwords.
*Overview:*
OpenBao is an open-source fork of HashiCorp Vault that provides secrets
management capabilities. This extension integrates Guacamole with OpenBao's KV
v2 secrets engine, automatically retrieving credentials when users connect to
remote desktop sessions.
*Key Features:*
* Automatic credential retrieval from OpenBao KV v2 secrets engine
* Token-based resolution using {{${OPENBAO_SECRET}}} and {{${GUAC_USERNAME}}}
patterns
* Simple configuration via guacamole.properties
* Username-based secret path mapping
* Secure token-based authentication with OpenBao API
* Docker container support with {{OPENBAO_}} environment variable prefix
*Implementation Details:*
The extension follows the existing guacamole-vault-base framework pattern
(similar to the KSM extension) and includes:
* OpenBaoAuthenticationProvider - Main authentication provider
* OpenBaoSecretService - Implements token resolution and secret retrieval
* OpenBaoClient - HTTP client for OpenBao REST API communication
* OpenBaoConfigurationService - Configuration management
* Support classes for directory and attribute services
*Configuration:*
Required properties in guacamole.properties:
{{openbao-server-url:
[http://openbao.example.com:8200|http://openbao.example.com:8200/]}}
{{openbao-token: s.YourTokenHere}}
{{openbao-mount-path: guacamole-credentails }}
{{}}
{{{}{}}}{*}Usage Example:{*}
When creating a connection, use token patterns:
* Username: {{${GUAC_USERNAME}}}
* Password: {{${OPENBAO_SECRET}}}
The extension maps Guacamole usernames to OpenBao secret paths:
{{Guacamole username: "john"}}
{{OpenBao secret path: /v1/guacamole-credentails/data/john}}
*Technical Specifications:*
* Language: Java
* HTTP Client: Apache HttpClient 5.2.1
* JSON Parser: Gson 2.10.1
* Secrets Engine: OpenBao KV v2
* Connection Timeout: 5000ms (hardcoded)
* Request Timeout: 10000ms (hardcoded)
*Files Modified/Added:*
* {{extensions/guacamole-vault/pom.xml}} - Added openbao module
* {{extensions/guacamole-vault/modules/guacamole-vault-openbao/*}} - New
extension module
* {{guacamole-docker/build.d/010-map-guacamole-extensions.sh}} - Added Docker
mapping
*Testing Performed:*
* Successful Maven build with Apache RAT license validation
* Successful compilation with {{-Werror}} flag
* Manual testing with OpenBao dev server
* Verification of token resolution and credential retrieval
*Security Considerations:*
* Uses token-based authentication with OpenBao
* Supports HTTPS for production deployments
* Follows principle of least privilege for token permissions
* Audit logging recommended via OpenBao audit backend
*Documentation:*
Comprehensive README.md included with:
* Installation instructions
* Configuration examples
* Troubleshooting guide
* Security best practices
* Example deployment scenario
*Compatibility:*
* Guacamole Version: 1.6.x
* OpenBao Version: 2.0.0+ (tested with 2.4.4)
* Java Version: 21+
*Benefits:*
* Centralizes credential management in OpenBao
* Reduces password fatigue for end users
* Enables credential rotation without user intervention
* Provides audit trail for credential access
* Follows established Guacamole vault extension patterns
> OpenBao Vault Integration Extension
> -----------------------------------
>
> Key: GUACAMOLE-2196
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2196
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-vault
> Reporter: Subba Reddy Alamuru
> Priority: Major
>
> Add OpenBao Vault integration extension for Apache Guacamole
>
> *Description:*
>
> This enhancement adds a new vault integration extension that enables Apache
> Guacamole to retrieve connection credentials from OpenBao
> ([https://openbao.org/]) at connection time, eliminating the need for users
> to manually enter passwords.
>
> *Overview:*
>
> OpenBao is an open-source fork of HashiCorp Vault that provides secrets
> management capabilities. This extension integrates Guacamole with OpenBao's
> KV v2 secrets engine, automatically retrieving credentials when users connect
> to remote desktop sessions.
>
> *Key Features:*
> * Automatic credential retrieval from OpenBao KV v2 secrets engine
> * Token-based resolution using {{{}$\{OPENBAO_SECRET{}}}} and
> {{{}$\{GUAC_USERNAME{}}}} patterns
> * Simple configuration via guacamole.properties
> * Username-based secret path mapping
> * Secure token-based authentication with OpenBao API
> * Docker container support with {{OPENBAO_}} environment variable prefix
> *Implementation Details:*
>
> The extension follows the existing guacamole-vault-base framework pattern
> (similar to the KSM extension) and includes:
> * OpenBaoAuthenticationProvider - Main authentication provider
> * OpenBaoSecretService - Implements token resolution and secret retrieval
> * OpenBaoClient - HTTP client for OpenBao REST API communication
> * OpenBaoConfigurationService - Configuration management
> * Support classes for directory and attribute services
> *Configuration:*
>
> Required properties in guacamole.properties:
> {{openbao-server-url:
> [http://openbao.example.com:8200|http://openbao.example.com:8200/]}}
> {{openbao-token: s.YourTokenHere}}
> openbao-mount-path: guacamole-credentails
> *Usage Example:*
>
> When creating a connection, use token patterns:
> * Username: {{{}$\{GUAC_USERNAME{}}}}
> * Password: {{{}$\{OPENBAO_SECRET{}}}}
> The extension maps Guacamole usernames to OpenBao secret paths:
> {{Guacamole username: "john"}}
> {{OpenBao secret path: /v1/guacamole-credentails/data/john}}
> *Technical Specifications:*
> * Language: Java
> * HTTP Client: Apache HttpClient 5.2.1
> * JSON Parser: Gson 2.10.1
> * Secrets Engine: OpenBao KV v2
> * Connection Timeout: 5000ms (hardcoded)
> * Request Timeout: 10000ms (hardcoded)
> *Files Modified/Added:*
> * {{extensions/guacamole-vault/pom.xml}} - Added openbao module
> * {{extensions/guacamole-vault/modules/guacamole-vault-openbao/*}} - New
> extension module
> * {{guacamole-docker/build.d/010-map-guacamole-extensions.sh}} - Added
> Docker mapping
> *Testing Performed:*
> * Successful Maven build with Apache RAT license validation
> * Successful compilation with {{-Werror}} flag
> * Manual testing with OpenBao dev server
> * Verification of token resolution and credential retrieval
> *Security Considerations:*
> * Uses token-based authentication with OpenBao
> * Supports HTTPS for production deployments
> * Follows principle of least privilege for token permissions
> * Audit logging recommended via OpenBao audit backend
> *Documentation:*
>
> Comprehensive README.md included with:
> * Installation instructions
> * Configuration examples
> * Troubleshooting guide
> * Security best practices
> * Example deployment scenario
> *Compatibility:*
> * Guacamole Version: 1.6.x
> * OpenBao Version: 2.0.0+ (tested with 2.4.4)
> * Java Version: 21+
> *Benefits:*
> * Centralizes credential management in OpenBao
> * Reduces password fatigue for end users
> * Enables credential rotation without user intervention
> * Provides audit trail for credential access
> * Follows established Guacamole vault extension patterns
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
