-
Notifications
You must be signed in to change notification settings - Fork 43
Unclear roles pattern matching #62
Comments
The wildcard can only appear at the end of your policy name. So According to your setup here, however, since only the "api" role is listed in your policy configuration, then that means the token you get will have the api role. I don't see how you could get a default role token if "default" isn't anywhere in your policy configuration. Can you run |
I'd try "mesos:*" also. Same result. That's my config returned by "policy" method: time="2018-07-31T16:14:18Z" level=info msg="Loaded policies. 1 total policies."
{
"mesos:*": {
"roles": [
"api"
],
"num_uses": 30
}
} my curl: sudo curl -X POST -d"{\"task_id\":\"abm_abm-api.05be9800-94dd-11e8-8961-062024e1b273\", \"scheduler\": \"mesos\", \"role\":\"api\"}" 'http://test:9201/token' response:
As I could see in vault logs it's not go for api role auth, only gatekeeper auth(successfully). sudo curl -X POST -d"{\"task_id\":\"abm_abm-api.d6758851-94dd-11e8-8961-062024e1b273\", \"scheduler\": \"mesos\"}" 'http://abmtest:9201/token' I could get token.
And there is also "read" request for path "auth/approle/role/default/secret-id" in Vault logs, not "api". Where I get wrong? |
The only thing that makes sense to me is, did you previously load a policy with gatekeeper that had a default role? The policy in Gatekeeper might be stale, and you may need to reload the policy. Run the command:
And try again. The issue here could be that the policy in Gatekeeper's memory is stale. Even if you update the policy in Vault, you need to "refresh" gatekeeper so it loads the new policy. |
You're right! "policy reload" helped me. But it's still a little bit tricky. There is no info in output of "policy" command or special mention documentation. I'd expect that "policy update" should be enough. |
Also I wonder why "api_*" not work for "api_1234" but "*" pattern works for me |
To match something like |
Hi, I spend a lot of time trying to configure gatekeeper properly. Im stuck with role's policies configuration.
This is my policies configuration:
But when Im trying to get token:
I've got an error instead:
I have "default" and "api" roles configured in the vault.
When I make my token request without "role" tag:
then request goes with "default" role and I could get token.
I've tried "*", "mesos:*:*", "mesos:marathon:*", "mesos:marathon:abm_*" keys but no one works for me. Where Im going wrong and maybe you should clarify documentation or logs output? Thanks!
The text was updated successfully, but these errors were encountered: