Enable allow_token_displayname configuration option for PKI backends

[ghost]

The logic for this configuration option was already in place, but it was not being handled during role creation. This simple change will allow the use of this option; to verify, execute the following:

1. Build the binary and start a dev server

make
./bin/vault server --dev

2. Enable the PKI backend and configure the CA and a test role

export VAULT_ADDR=http://localhost:8200
./bin/vault secrets enable pki
./bin/vault write pki/config/ca pem_bundle=@/path/to/bundle
./bin/vault write pki/roles/test allow_token_displayname=true

3. You can now generate a certificate using a common name matching the display name of the token (in this case, it's root)

$ ./bin/vault write pki/issue/test common_name=any
Error writing data to pki/issue/test: Error making API request.

URL: PUT http://localhost:8200/v1/pki/issue/test
Code: 400. Errors:

* common name any not allowed by this role

$ ./bin/vault write pki/issue/test common_name=root
Key                 Value
---                 -----
certificate          -----BEGIN CERTIFICATE-----

[robison]

Ah, this would be a huge improvement for issuing client certificates.

[jefferai]

It's intentionally not allowed. The logic is there for legacy reasons but relying on the token display name is almost always the wrong solution because the token display name is not really something under Vault's control but instead up to the whims of other backends.

If you can explain what you're trying to do I can suggest some alternatives.

[robison]

Ideally, we'd like to be able to set the Common Name on a PKI-backend-issued certificate to an authenticated username. Thoughts?

[ghost]

@jefferai Ah, I see, that makes sense. We currently issue client certificates for use with RBAC on Kubernetes, where the common name of the certificate is used as the username. We need to be able to restrict the allowed common names for issued certs to something associated with the client token making the request. Our original intent was to have developers authenticate with Vault using LDAP, and then the RBAC username would be the LDAP token displayname ldap-{username}. Is there an alternative way of achieving this?

[jefferai]

@tm-paigr You don't happen to be an enterprise customer do you? If so you can do this now with Sentinel.

[ghost]

@jefferai Unfortunately, no, we haven't made the plunge. I don't suppose there is a way of doing this with open-source Vault?

[jefferai]

Scheduling in milestone 0.10.2 so we don't forget about it as we are thinking about how we could add necessary underlying support.

[jefferai]

See #4681. This provides a way for plugins to get Entity information (id/name, alias id/name) for a given request. The PKI backend doesn't yet have built-in support to access this information and use it for cert names but it's the right underlying approach. Given that I'm going to close this in favor of a future PR (or change from the Vault team) that uses Entity info instead.