Salt: Salt-master doesn't renew vault token

Created on 5 Mar 2019  路  6Comments  路  Source: saltstack/salt

Description of Issue/Question

Vault allows for an issued token to be renewed while it is still active. When the salt-master is configured to use token auth, it does not attempt to renew the token, instead, it lets it expire and then fail.

This seems like poor behavior, especially since the other auth method approle appears to validate if it's expired and request a new token. (older versions of salt do not support approle).

It would be beneficial if the salt-master monitored the remaining time to live of it's configured token and renew'd it.

Setup

(Please provide relevant configs and/or SLS files (Be sure to remove sensitive info).)

/etc/salt/master.d/vault.conf
vault:
  url: http://avault.server:8200
  auth:
    method: token
    token: randomjunkhere

Steps to Reproduce Issue

Provision a token with the appropriate polices, wait until the ttl expires, be unable to access vault.

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

salt --versions-report
Salt Version:
           Salt: 2017.7.8

Dependency Versions:
           cffi: 1.5.2
       cherrypy: Not Installed
       dateutil: 2.4.2
      docker-py: Not Installed
          gitdb: 2.0.3
      gitpython: 2.1.10
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: 0.24.0
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.3
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: 2.14
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: 0.24.0
         Python: 2.7.12 (default, Nov 12 2018, 14:36:49)
   python-gnupg: 0.3.8
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: 2.0.3
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4

System Versions:
           dist: Ubuntu 16.04 xenial
         locale: UTF-8
        machine: x86_64
        release: 4.4.0-1075-aws
         system: Linux
        version: Ubuntu 16.04 xenial
Bug severity-medium
Source
picture thenoid

All 6 comments

ping @carlpett seems you added a lot of the vault features. do you have any ideas here?

Ch3LL picture Ch3LL on 6 Mar 2019

It has been a few years, so somewhat foggy memory, but if I remember correctly, at the time of the initial implementation, we required a root token since Vault did not support granting some privilege needed. Since root tokens do not expire, renewal wasn't required.

Since it seems this is no longer the case, it would be a very reasonable addition to ensure non-root tokens work well, in order to discourage using them. I'm myself no longer in a position where I use either Vault or Saltstack, sadly, so my ability to contribute this is very limited.

carlpett picture carlpett on 6 Mar 2019

thanks for the input i really appreciate it :)

Ch3LL picture Ch3LL on 12 Mar 2019
👀1

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

stale[bot] picture stale[bot] on 9 Jan 2020

Reviving this as it is still an issue we are affected by.

idontwanttosignin picture idontwanttosignin on 21 Jan 2020

Thank you for updating this issue. It is no longer marked as stale.

stale[bot] picture stale[bot] on 4 Feb 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Inveracity picture Inveracity  路  3Comments
zieba88 picture zieba88  路  3Comments
seanacais picture seanacais  路  3Comments
qiushics picture qiushics  路  3Comments
twangboy picture twangboy  路  3Comments