Avoid a server to keep access to stale Vault policies
ClosedPublic
Actions

Authored by dereckson on Apr 15 2022, 19:11.

Details

Reviewers

DorianWinty
dereckson

Maniphest Tasks

T1425: Provision secrets through Salt

Commits

rOPS15526ba96582: Avoid a server to keep access to stale Vault policies

Summary

If a server lose access to any policy, it would keep the last state.

Instead, we now submit a new policy "intentionally left blank"
to explicitly document that node doesn't have access to anything.

This is a follow-up for af9db00760be.

Ref T1425.

Test Plan

salt-call --local credentials.build_policies_by_node

Tested on Complector, we've a correct set of policies for every node.

Diff Detail

Repository

rOPS Nasqueron Operations

Lint

Lint Passed

Unit

No Test Coverage

Branch

docker-vault-policies-blank

Build Status

Buildable 4188
Build 4440: arc lint + arc unit

Event Timeline

dereckson requested review of this revision.Apr 15 2022, 19:11

dereckson created this revision.

Harbormaster completed remote builds in B4188: Diff 6746.Apr 15 2022, 19:11

DorianWinty accepted this revision.Apr 17 2022, 15:48

This revision is now accepted and ready to land.Apr 17 2022, 15:48

dereckson accepted this revision.Apr 19 2022, 18:55

Closed by commit rOPS15526ba96582: Avoid a server to keep access to stale Vault policies (authored by dereckson). · Explain WhyApr 19 2022, 18:55

This revision was automatically updated to reflect the committed changes.

dereckson added a commit: rOPS15526ba96582: Avoid a server to keep access to stale Vault policies.

Revision Contents
Changeset List

Path

Size

_modules/

credentials.py

9 lines

Diff 6746

View Options

Avoid a server to keep access to stale Vault policiesClosedPublicActions