Rabbitmq role not picking up the / vhost #7603
Comments
|
@jefferai or anyone else working on Vault, When you have a moment, are you able to take a quick look at this please? Thanks |
|
UPDATE: I've just been experimenting and it seems it's not adding any specified vhost to the role. using the following payload on my API request: {
"name": "rabbitrole",
"tags": "administrator,management",
"vhost": "{\"devopsrob/\": {\"configure\":\".*\", \"write\":\".*\", \"read\": \".*\"}}"
}and running the following to implement this: curl \
--header "X-Vault-Token: $token "\
--request POST \
--data @rabbitmq-payload.json \
http://127.0.0.1:8200/v1/rabbitmq/config/connectionWhen i read the role, i still get the following response: The plugin has no use if it can't pick up the specified vhosts as it will create dynamic users but not assign it the specified permissions to perform their prescribed tasks. |
|
Figured out this issue is down to a typo in the docs online. The payload parameter should be "vhosts" rather than "vhost". I've submitted a PR to rectify this so that anyone else looking for guidance in using this secrets engine doesn't get caught out the same way I did |
This typo is related to #7603 . The typo was causing issues with getting this working correctly when following the guide. I imagine any other newbie to this plugin will have the same struggle. I had to delve into the source code to figure it out
This typo is related to #7603 . The typo was causing issues with getting this working correctly when following the guide. I imagine any other newbie to this plugin will have the same struggle. I had to delve into the source code to figure it out
|
Closing as PR has been merged to master |
Describe the bug
I have enabled and configured the rabbitmq secrets engine with a role which should grant access to the '/' vhosts as per the example in the documentation but somehow vault isn't actually picking up the '/' in the role so the correct permissions do not get assigned when creating a dynamic user. I was experiencing this in production so i spun up a local dev server in dev mode to test and still see the same behaviour.
To Reproduce
Steps to reproduce the behavior:
Run the following set of commands to make the required API calls to vault.
the following are the payload files used in some of the commands.
rabbitmq-payload.json:
{ "connection_uri": "http://rabbitmq:15672", "username": "guest", "password": "guest" }rmq-payload.json:
{ "type": "rabbitmq", "description": "RabbitMQ secrets engine", "config": { "default_lease_ttl": 300, "max_lease_ttl": 300, "listing_visibility": "unauth" } }rmq-role.json:
{ "name": "rabbitrole", "tags": "administrator,management", "vhost": "{\"/\": {\"configure\":\".*\", \"write\":\".*\", \"read\": \".*\"}}" }Expected behavior
i should have permissions to all vhosts under '/' so i would expect tosee output like the following:
Actual behavior
I get this instead:
a user is created with the correct tags but without the vhost permissions.
Environment:
vault status): v1.2.3vault version): Using the vault API rather than the CLIVault server configuration file(s):
vault server is running in Dev mode so no config file
Additional context
I tried using Terraform to configure this too and got the same outcome. It's as if the role is ignoring the '/' even though it's escaped correctly (i think) so it comes up empty instead. I logged into rabbitmq to see what was happening in realtime and i can see the user being created with the specified tags but the permissions state "No Access"
The text was updated successfully, but these errors were encountered: