New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There doesnt seem to be a way to remove authorized client from vault_keys #103

Closed
vinyar opened this Issue May 6, 2014 · 8 comments

Comments

Projects
None yet
6 participants
@vinyar

vinyar commented May 6, 2014

Hi, I was unable to find a way to remove clients from vault_keys. Maybe I'm just missing something simple, but here is the full writeup in case it's a bug/regression.

Use case:
I have around 50 active test nodes, and vault_keys has almost 400 entries from the various nodes created and deleted over the last couple of months. In an auto scaling environment where nodes are brought up and down continuously, the vault_keys will quickly become unwieldy. We would like to make chef-vault client removal part of automated server decommission.

Knife vault update command updates existing clients, but does not remove clients excluded from the search:
example:

knife vault update alexv alexvault \
'{"vaultuser":"$6$VqEIDjsp$7NtPMhA9cnxvSMTE9l7DMmydJJEymi9b4t1Vhk475vrWlfxMgVb3bDLhpk/RZt0J3X7l5H8WnqFgvq3dIa9Kt/"}' \
 --search 'recipe:test_recipe NOT name:server3' \ 
 --admins alex --mode client

result:

knife data bag show alexv alexvault_keys

  server1
  server2
  server3
  server4
id:                 alexvault_keys
search_query:                 recipe:ge_role_secure_os NOT name:server3

I've tested various methods, and the only way that worked for me, was to delete the vault_keys item with (knife data bag delete alexv alexvault_keys) and recreate it with the knife vault create query above. A very heavy handed approach.

working solution:

knife data bag delete alexv alexvault_keys
knife vault create alexv alexvault '{"vaultuser":"$6$VqEIDjsp$7NtPMhA9cnxvSMTE9l7DMmydJJEymi9b4t1Vhk475vrWlfxMgVb3bDLhpk/RZt0J3X7l5H8WnqFgvq3dIa9Kt/"}' --search 'recipe:test_recipe NOT name:server3' --admins alex --mode client
knife data bag show alexv alexvault_keys

  server1
  server2
  server4
id:                 alexvault_keys
search_query:                 recipe:ge_role_secure_os NOT name:server3

Solution:
There should be a command to remove authorized clients without having to delete the data_bag which can be ran as part of server removal automation. I'm fairly new to chef-vault, so if update switch used to perform this function, would it be possible to reimplement it?

@afiune

This comment has been minimized.

afiune commented May 6, 2014

@vinyar

Have you tried:

knife vault remove VAULT ITEM VALUES (options)

For you I think this will work:

knife vault remove alexv alexvault  \ 
  --search 'name:server3' \ 
  --mode client
@moserke

This comment has been minimized.

Contributor

moserke commented May 6, 2014

The one thing to note about knife vault remove is that the client still needs to be searchable/indexed for chef-vault to find it to remove it. So the decommission workflow is:

  1. Remove node from chef-vault
  2. Remove node from chef

If you have removed the node from chef first, then you will have to hand edit the vault_item_keys.json file directly to remove the orphaned nodes.

@vinyar

This comment has been minimized.

vinyar commented May 6, 2014

Verified that this workflow works, thanks!
Are there any plans to add support for removal of dead nodes?

@galindro

This comment has been minimized.

galindro commented Jul 7, 2014

+1

I need this feature too...

@galindro

This comment has been minimized.

galindro commented Oct 8, 2014

+1

@jf647

This comment has been minimized.

Contributor

jf647 commented Oct 22, 2014

v2.3.0 adds a --clean switch to 'knife vault update' that should do what you're looking for.

@jf647 jf647 closed this Oct 22, 2014

@8la

This comment has been minimized.

Contributor

8la commented Apr 8, 2016

This behaviour and the --clear switch should be documented at the README please!

Thanks!

@vinyar

This comment has been minimized.

vinyar commented Apr 12, 2016

👍 ☕️ for the --clean switch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment