search

cyberark / conjur

CyberArk Conjur automatically secures secrets used by privileged users and machine identities
https://conjur.org
Other
782 stars 124 forks source link

Host Factory created hosts don't have the policy namespace of their layer #813

Open jvanderhoof opened 6 years ago

jvanderhoof commented 6 years ago

When a host is created using a host factory, the host does not include the inherited policy in its ID. This means adding a host (host-1) in the layer staging/myapp creates a host host-1 rather than staging/myapp/host-1 as would be expected.

Steps to Replicate:

  1. Start Conjur: https://github.com/conjurdemos/conjur-intro

  2. Load policy:

    ./cli conjur policy load --replace root policy/users.yml
./cli conjur policy load root policy/policy.yml
./cli conjur policy load staging policy/apps/myapp.yml

    Now we have a layer (staging/myapp) in in the staging namespace called myapp, with a Host Factory.

  3. Create a HF Token from this Host Factory:

    ./cli conjur hostfactory tokens create staging/myapp

    Grab the host factory token (ex. 37y7fja5dngtkzgdkm230r8qk325e8bnekwwqev37408jpw4te8k) from the above response.

  4. Generate a new host host-2 using the previous HF Token:

    ./cli conjur hostfactory hosts create 37y7fja5dngtkzgdkm230r8qk325e8bnekwwqev37408jpw4te8k host-2

Result A host is created host-2, which is correctly owned by the staging/myapp layer.

Expected Results The host is created using layer's policy: staging/myapp/host-2.

sjacobs146 commented 3 years ago

This bug is over 2 years old, Closing

jvanderhoof commented 3 years ago

@dataplex, @whip113 - I've been looking into this issue today. I have a potential fix, but it skirts a design issue: a host factory token can enroll a created host into multiple layers.

My solution prepends the first layer's id to the created host's id, which meets the above issue's Expected Results. A couple of questions to the two of you:

  1. Is this a reasonable solution?
  2. Should we allow a Host Factory to enroll into multiple layers?
  3. Does it make sense for a host created by a host factory to owned by that host factory, or should the host be owned by the layer (as if the host was enrolled in that layer via policy)?
Mamut3D commented 1 year ago

Is host-factory still supported? I mean it stays in the documentationt, but other than that it seems dead. Even puppet module (where use of host factory makes some sence) does not support it any more https://github.com/cyberark/conjur-puppet.