Page MenuHomeDevCentral
Differential D3355

Allow Salt policy to create admin-level tokens
ClosedPublic
Actions

Authored by dereckson on Jul 7 2024, 13:19.
Tags
None
Referenced Files
F9788160: D3355.diff
Fri, Jun 13, 20:13
F9787504: D3355.id8653.diff
Fri, Jun 13, 19:32
Unknown Object (File)
Thu, Jun 12, 12:33
Unknown Object (File)
Mon, Jun 9, 21:38
Unknown Object (File)
Sat, Jun 7, 17:16
Unknown Object (File)
Fri, Jun 6, 09:24
Unknown Object (File)
Wed, Jun 4, 20:25
Unknown Object (File)
Tue, Jun 3, 02:21
View All Files
Subscribers
None

Details

Reviewers
DorianWinty
Maniphest Tasks
T1975: Allow ops to login to Vault
Commits
rOPS4fdae60b2437: Allow Salt policy to create admin-level tokens
Summary

To allow a self-service token generation in Complector, allows the
Salt primary policy to issue tokens for the admin role.

Ref T1975.

Test Plan

Issue an admin token with salt-primary policy

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson requested review of this revision.Jul 7 2024, 13:19
dereckson created this revision.
Harbormaster completed remote builds in B5333: Diff 8653.Jul 7 2024, 13:19
dereckson planned changes to this revision.Jul 7 2024, 13:58

This is not the correct paths -> Salt returns a 403 when using this policy.

It works with an overkill path "auth/*".

dereckson retitled this revision from Allow Salt to create admin-level tokens to Allow Salt policy to create admin-level tokens.Jul 7 2024, 13:58
dereckson added a comment.Jul 7 2024, 14:12

By the way, the token used by Salt has the following properties:

metadata: {'role_name': 'salt_primary'}
policies: ['default', 'salt', 'salt-node-complector']

It means the policies read are salt (stable) and salt-node-complector (depends of the server name).

dereckson added a comment.Aug 4 2024, 11:16

To be able to use auth/token/create/admin, it needs a role admin, let's add it to the DRP bootstrap script:

vault write auth/token/roles/admin allowed_policies=admin period=30d
dereckson updated this revision to Diff 8771.Aug 4 2024, 11:33

Use admin role

Harbormaster completed remote builds in B5413: Diff 8771.Aug 4 2024, 11:33
dereckson added a child revision: D3403: Write auth/token/roles/salt-node in vault bootstrap DRP script.Aug 4 2024, 11:38
DorianWinty accepted this revision.Aug 5 2024, 19:14
This revision is now accepted and ready to land.Aug 5 2024, 19:14
Closed by commit rOPS4fdae60b2437: Allow Salt policy to create admin-level tokens (authored by dereckson). · Explain WhyAug 5 2024, 19:24
This revision was automatically updated to reflect the committed changes.
dereckson added a commit: rOPS4fdae60b2437: Allow Salt policy to create admin-level tokens.

Revision Contents
Changeset List

PathSize
roles/
vault/
bootstrap/
files/
6 lines
policies/
files/
9 lines
utils/
vault/
2 lines

Diff 8782

View Options

roles/vault/bootstrap/files/vault-initialize.sh

Loading...
View Options

roles/vault/policies/files/salt-primary.hcl

Loading...
View Options

utils/vault/issue-admin-token.py

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator