Support automatically adding and updating credentials in a credential store

In elytron

Table of Contents

Overview
Issue Metadata
Requirements
Test Plan
Community Documentation
Release Notes

Overview

Many subsystems currently support a credential-reference which is used to specify either a reference to a credential that is stored in an Elytron credential store under a given alias or a clear text password. In particular, a credential-reference supports specifying either of the following two mutually exclusive things:

store and alias attributes which specify the Elytron credential store and the alias within the store that hold a credential
clear-text attribute which specifies a clear text password

For the first case, a user needs to first create a credential store and add a credential to it before being able to reference it from a credential-reference.

This enhancement looks at relaxing the mutual exclusivity requirement to automate the process of adding or updating a credential in an existing credential store to simplify the number of steps that a user needs to perform.

Issue Metadata

Testing By

[ ] Engineering [x] QE

Affected Projects or Components

WildFly Core
WildFly

Other Interested Projects

Requirements

Hard Requirements

It should be possible for a credential-reference to support both a credential store (i.e., the store attribute) and a clear text password (i.e., the clear-text attribute) to be specified at the same time.

When adding a new credential-reference with both the store and clear-text attributes specified:

If the alias attribute is also specified, one of the following will then occur:
- If the credential store does not contain an entry for the given alias, a new entry will be added to the credential store to hold the clear text password that was specified. The clear-text attribute will then be removed from the management model.
- If the credential store does contain an entry for the given alias, the existing credential will be replaced with the clear text password that was specified. The clear-text attribute will then be removed from the management model.
If the alias attribute is not specified, an alias will be generated and a new entry will be added to the credential store to hold the clear text password that was specified. The clear-text attribute will then be removed from the management model.

Note that if only the clear-text attribute is specified or if only the store and alias attributes are specified when adding a new credential-reference, there will be no changes in behaviour.

When updating an existing credential-reference that contains both the alias and store attributes to also specify the clear-text attribute:

The existing credential will be replaced with the clear text password that was specified. The clear-text attribute will then be removed from the management model.

In each of the above cases where adding or updating a credential-reference results in a new entry being added to the credential store or an existing entry being updated in the credential store, the output of the management operation will indicate this.

Rollback upon operation failure

If an operation that includes a credential-reference parameter fails for any reason, no automatic credential store update will take place, i.e., any credential store that was specified via the credential-reference attribute will contain the same contents as it did before the operation was executed. The output of the management operation will indicate this.

Nice-to-Have Requirements

Non-Requirements

This enhancement will not add support for automatically creating credential stores. These will still need to be created in advance by the user.

This enhancement will not add support for automatically adding and updating credentials in a credential store when referencing credentials using the Elytron authentication client.

Test Plan

Testing of this enhancement will happen within the WildFly Core testsuite. Tests will be added for the different scenarios to make sure credentials can be automatically added and updated in credential stores appropriately.

Community Documentation

Community documentation on credential stores is currently being added in WFLY-11101.

This new documentation will be updated to include details on this new enhancement. The documentation will cover the different scenarios related to automatically adding and updating credentials in credential stores.

Release Notes

Instead of needing to first add a credential to a credential store in order to reference it from a credential-reference, WildFly 19 adds the ability to automatically add a credential to a previously defined credential store. Check out this blog post for an introduction to this new feature.