Avoid a server to keep access to stale Vault policies
ClosedPublic
Actions

Authored by dereckson on Apr 15 2022, 19:11.

Details

Reviewers

DorianWinty
dereckson

Maniphest Tasks

T1425: Provision secrets through Salt

Commits

rOPS15526ba96582: Avoid a server to keep access to stale Vault policies

Summary

If a server lose access to any policy, it would keep the last state.

Instead, we now submit a new policy "intentionally left blank"
to explicitly document that node doesn't have access to anything.

This is a follow-up for af9db00760be.

Ref T1425.

Test Plan

salt-call --local credentials.build_policies_by_node

Tested on Complector, we've a correct set of policies for every node.

Diff Detail

Repository

rOPS Nasqueron Operations

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

dereckson requested review of this revision.Apr 15 2022, 19:11

dereckson created this revision.

Harbormaster completed remote builds in B4188: Diff 6746.Apr 15 2022, 19:11

DorianWinty accepted this revision.Apr 17 2022, 15:48

This revision is now accepted and ready to land.Apr 17 2022, 15:48

dereckson accepted this revision.Apr 19 2022, 18:55

Closed by commit rOPS15526ba96582: Avoid a server to keep access to stale Vault policies (authored by dereckson). · Explain WhyApr 19 2022, 18:55

This revision was automatically updated to reflect the committed changes.

dereckson added a commit: rOPS15526ba96582: Avoid a server to keep access to stale Vault policies.

Revision Contents
Changeset List

Path

Size

_modules/

credentials.py

9 lines

Diff 6761

View Options

Avoid a server to keep access to stale Vault policiesClosedPublicActions