Page MenuHomeDevCentral

Allow Salt policy to create admin-level tokens
ClosedPublic

Authored by dereckson on Jul 7 2024, 13:19.
Tags
None
Referenced Files
F9320438: D3355.id8771.diff
Sun, Jun 1, 06:54
F9310774: D3355.id.diff
Sun, Jun 1, 00:15
Unknown Object (File)
Sat, May 31, 04:29
Unknown Object (File)
Fri, May 30, 07:24
Unknown Object (File)
Fri, May 23, 11:30
Unknown Object (File)
Wed, May 21, 12:01
Unknown Object (File)
Tue, May 20, 12:08
Unknown Object (File)
Fri, May 16, 11:29
Subscribers
None

Details

Summary

To allow a self-service token generation in Complector, allows the
Salt primary policy to issue tokens for the admin role.

Ref T1975.

Test Plan

Issue an admin token with salt-primary policy

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson created this revision.

This is not the correct paths -> Salt returns a 403 when using this policy.

It works with an overkill path "auth/*".

dereckson retitled this revision from Allow Salt to create admin-level tokens to Allow Salt policy to create admin-level tokens.Jul 7 2024, 13:58

By the way, the token used by Salt has the following properties:

metadata: {'role_name': 'salt_primary'}
policies: ['default', 'salt', 'salt-node-complector']

It means the policies read are salt (stable) and salt-node-complector (depends of the server name).

To be able to use auth/token/create/admin, it needs a role admin, let's add it to the DRP bootstrap script:

vault write auth/token/roles/admin allowed_policies=admin period=30d
This revision is now accepted and ready to land.Aug 5 2024, 19:14