Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[2018.3] Fixing vault when being used from Pillar #49820

Merged

Conversation

Projects
None yet
3 participants
@garethgreenaway
Copy link
Member

commented Sep 28, 2018

What does this PR do?

Fixing the scenario when vault values are used in Pillar, but due to a previous change the minion was not being granted token based access.

What issues does this PR fix or reference?

#49671

Previous Behavior

Reading vault values from Pillar failed because of previous changes to allow vault access via salt-ssh.

New Behavior

Swapping out the call when the vault read is happening on the Salt master from using
_use_local_config to use _get_token_and_url_from_master()

Tests written?

No. Manual tests with output provided.

Commits signed with GPG?

Yes/No

Please review Salt's Contributing Guide for best practices.

See GitHub's page on GPG signing for more information about signing commits with GPG.

Fixing the scenario when vault values are used in Pillar, but due to …
…a previous change the minion was not being granted token based access.

@garethgreenaway garethgreenaway force-pushed the garethgreenaway:49671_fixing_vault_pillar branch from 0bda932 to b0ba2ec Sep 28, 2018

@garethgreenaway

This comment has been minimized.

Copy link
Member Author

commented Sep 28, 2018

Master policy, only access to auth endpoint:

path "auth/token/create-orphan" {
  capabilities = ["update", "sudo"]
}
path "auth/token/create" {
  capabilities = ["update", "sudo"]
}

Minion policy, read access to the secret endpoint:

path "secret/*" {
capabilities = ["read"]
}

Pillar SLS:

{%- set supersecret = salt['vault'].read_secret('secret/ssh/user1', 'password') %}
test:
  - {{ supersecret}}

Targeting Minion:

[root@b2d66931390f master.d]# salt 076d8ca9b65b vault.read_secret "secret/ssh/user1"
076d8ca9b65b:
    ----------
    password:
        ”abc123″

Pillar:

[root@b2d66931390f master.d]# salt 076d8ca9b65b pillar.items
076d8ca9b65b:
    ----------
    test:
        - ”abc123″

Master pillar.items call:

local:
    ----------
    _errors:
        - Rendering SLS 'test' failed. Please see master log for details.
---
{%- set supersecret = salt['vault'].read_secret('secret/ssh/user1', 'password') %}    <======================
test:
  - {{ supersecret}}
---
Traceback (most recent call last):
  File "/testing/salt/pillar/__init__.py", line 736, in render_pstate
    **defaults)
  File "/testing/salt/template.py", line 93, in compile_template
    ret = render(input_data, saltenv, sls, **render_kwargs)
  File "/testing/salt/renderers/jinja.py", line 70, in render
    **kws)
  File "/testing/salt/utils/templates.py", line 170, in render_tmpl
    output = render_str(tmplstr, context, tmplpath)
  File "/testing/salt/utils/templates.py", line 423, in render_jinja_tmpl
    tmplstr)
SaltRenderError: Problem running salt function in Jinja template: 403 Client Error: Forbidden; line 1

---
{%- set supersecret = salt['vault'].read_secret('secret/ssh/user1', 'password') %}    <======================
test:
  - {{ supersecret}}
---

salt-call vault.read_secret

[root@b2d66931390f master.d]# salt-call vault.read_secret "secret/ssh/user1"
[ERROR   ] Failed to read secret! HTTPError: 403 Client Error: Forbidden
Error running 'vault.read_secret': 403 Client Error: Forbidden

salt-ssh vault.read_secret:

[root@b2d66931390f master.d]# salt-ssh minion vault.read_secret "secret/ssh/user1"
minion:
    ----------
    password:
        ”abc123″

salt-ssh pillar.items

[root@b2d66931390f master.d]# salt-ssh minion pillar.items
minion:
    ----------
    test:
        - ”abc123″

@garethgreenaway garethgreenaway changed the title o … [2018.3] Fixing vault when being used from Pillar Sep 28, 2018

@cachedout cachedout closed this Sep 30, 2018

@cachedout cachedout reopened this Sep 30, 2018

@rallytime rallytime merged commit 1a41d1b into saltstack:2018.3 Oct 1, 2018

7 of 10 checks passed

continuous-integration/jenkins/pr-merge This commit cannot be built
Details
jenkins/pr/py2-windows-2016 The py2-windows-2016 job has failed
Details
jenkins/pr/py3-windows-2016 The py3-windows-2016 job has failed
Details
WIP ready for review
Details
jenkins/pr/docs The docs job has passed
Details
jenkins/pr/lint The lint job has passed
Details
jenkins/pr/py2-centos-7 The py2-centos-7 job has passed
Details
jenkins/pr/py2-ubuntu-1604 The py2-ubuntu-1604 job has passed
Details
jenkins/pr/py3-centos-7 The py3-centos-7 job has passed
Details
jenkins/pr/py3-ubuntu-1604 The py3-ubuntu-1604 job has passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.