Comments (6)
You're right! "policy reload" helped me. But it's still a little bit tricky. There is no info in output of "policy" command or special mention documentation. I'd expect that "policy update" should be enough.
And I expect that "policy" command returns policies that actually used by gatekeeper right now.
from vault-gatekeeper.
The wildcard can only appear at the end of your policy name. So mesos:*
would be the appropriate name in your policy.
According to your setup here, however, since only the "api" role is listed in your policy configuration, then that means the token you get will have the api role. I don't see how you could get a default role token if "default" isn't anywhere in your policy configuration. Can you run gatekeeper policy
? This will show that gatekeeper believes the current policy should be.
from vault-gatekeeper.
I'd try "mesos:*" also. Same result. That's my config returned by "policy" method:
time="2018-07-31T16:14:18Z" level=info msg="Loaded policies. 1 total policies."
{
"mesos:*": {
"roles": [
"api"
],
"num_uses": 30
}
}
my curl:
sudo curl -X POST -d"{\"task_id\":\"abm_abm-api.05be9800-94dd-11e8-8961-062024e1b273\", \"scheduler\": \"mesos\", \"role\":\"api\"}" 'http://test:9201/token'
response:
{"unsealed":true,"error":"Your task does not have permission to use this role."}
As I could see in vault logs it's not go for api role auth, only gatekeeper auth(successfully).
But when I try to call gatekeeper without role:
sudo curl -X POST -d"{\"task_id\":\"abm_abm-api.d6758851-94dd-11e8-8961-062024e1b273\", \"scheduler\": \"mesos\"}" 'http://abmtest:9201/token'
I could get token.
{"unsealed":true,"token":"0b7e3f18-5945-f0d4-6955-cb382ccd49c2","ttl":"1h40m0s","vault_addr":"http://test:8200/"}
And there is also "read" request for path "auth/approle/role/default/secret-id" in Vault logs, not "api".
Where I get wrong?
from vault-gatekeeper.
The only thing that makes sense to me is, did you previously load a policy with gatekeeper that had a default role? The policy in Gatekeeper might be stale, and you may need to reload the policy. Run the command:
GATEKEEPER_ADDR=http://abmtest:9201 gatekeeper policy reload
And try again. The issue here could be that the policy in Gatekeeper's memory is stale. Even if you update the policy in Vault, you need to "refresh" gatekeeper so it loads the new policy.
from vault-gatekeeper.
Also I wonder why "api_*" not work for "api_1234" but "*" pattern works for me
from vault-gatekeeper.
To match something like api_1234
with api_*
, check out the regexp matcher in #77.
from vault-gatekeeper.
Related Issues (20)
- Adding image id for verification of task being launched HOT 1
- Enhancement request: Support dynamic policy names HOT 1
- New Release tag? HOT 7
- Enhancement request: Allow tokens to be non-renewable
- Fix for renewable configurable policy addition with nested policies HOT 1
- Travis tests failing
- Enhancement request: Support for AppRole Auth Method HOT 1
- --vault-kv-version not applied HOT 2
- Token renewal should be retried on failure HOT 2
- Policy Struct changed HOT 2
- Question on building/installing gatekeeper-cli HOT 2
- namespace support? HOT 2
- Not working with VaultServer
- Unseal failed with the 'approle' method.
- {"unsealed":true,"error":"The role requested does not exist."} HOT 3
- Mesos 1.8+ no longer supports the state.json endpoint HOT 2
- Support wildcard inside task name or a more robust (regexp?) matching HOT 3
- Unseal fails with self-signed cert HOT 3
- Only the first AppRole on the roles list is used for authentication HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-gatekeeper.