Personal-files request for vht

ilijamt · October 12, 2019, 6:30pm

vht requires access to the $HOME/.vault-token so the credentials for vault can be read automatically.

personal-files:
read:
- $HOME/.vault-token

ilijamt · October 21, 2019, 8:14pm

Is there more information required?

alexmurray · October 22, 2019, 2:53am

Can you please explain what vht does and where $HOME/.vault-token originates from and hence why vht requires access to this? When a user install vht would they expect and find it unsurprising that it then is automatically granted access to this?

ilijamt · October 22, 2019, 7:03am

It’s a small helper tool for interaction with Hashicorp Vault, it allows functionality that is currently not present in the application.

Github: https://github.com/ilijamt/vht

When you login into Hashicorp Vault a token is generated and stored in $HOME/.vault-token, after which it’s used to authenticate with the Vault backend.

jdstrand · October 23, 2019, 10:16pm

Is vht affiliated with Hashicorp vault in any way?

ilijamt · October 24, 2019, 8:26pm

No, it’s a personal tool that I built for some of the functionality that I needed.

jdstrand · October 25, 2019, 5:37pm

I’m +1 to allow use of the personal-files interface, though -1 to auto-connect since the application is not associated with Hashicorp vault.

Please adjust your snap.yaml to use:

plugs:
  dot-vault-token:
    interface: personal-files
    read:
    - $HOME/.vault-token

@reviewers - can others please vote?

ilijamt · October 27, 2019, 3:07pm

I adjusted the snap file. After this I have this issue.

The Store automatic review failed.
A human will soon review your snap, but if you can’t wait please write in the snapcraft forum asking for the manual review explicitly.
If you need to disable confinement, please consider using devmode, but note that devmode revision will only be allowed to be released in edge and beta channels.
Please check the errors and some hints below:

override not found for ‘plugs/dot-vault-token’. Use of the personal-files interface is reserved for vetted publishers. If your snap legitimately requires this access, please make a request in the forum using the ‘store-requests’ category (https://forum.snapcraft.io/c/store-requests), or if you would prefer to keep this private, the ‘sensitive’ category.

human review required due to ‘allow-installation’ constraint (bool)

alexmurray · October 27, 2019, 7:58pm

I also agree that since vht is not the owner of this token that it makes sense that users should manually connect this interface so they gain some awareness of what access they are granting to the vht snap.

+1 for use of this via personal-files and -1 for auto-connect.

ilijamt · November 7, 2019, 7:06pm

Can I get this approved? Is there any more information required?
It’s been 26 days since my original posting.

jdstrand · November 11, 2019, 11:09pm

2 votes for, 0 against allowing use of read-only access to ~/.vault-token. Granting use of personal-files for installation with the following interface reference:

plugs:
  dot-vault-token:
    interface: personal-files
    read:
    - $HOME/.vault-token

This is now live. Note, there is a corresponding change to the review-tools that must be done which is committed to master but not yet in production for this to pass automated review. Until that is in production, we will manually approve new revisions of vht.

0 votes for, 2 votes against auto-connection of personal-files.