Closed M0hanrajp closed 2 months ago
@M0hanrajp what I got is as follows:
cloud@dev-vb:~/EdgeX/edgex-compose$ docker run --rm -ti -v edgex_vault-config:/vault/config:ro alpine:latest cat /vault/config/assets/resp-init.json | json_pp
{
"keys" : [
"7737564426ae7a6f1d5015a388b27cecb2adeba2d3c8b9cb56a7c6f01834c8cd38",
"6b41db79779108ef6d320eb2132a971d257d79898dfd9e69d30bf1410f512ee3c7",
"e2f6186a79032417480cbaf88b5c0f1329215f3f4c8d62c9834ce6c4057abb480f",
"2c81ce53d06382be902583235245770fd75be45facd728740ca1430d04af7ba012",
"748d484652f45aaf4dcf9de80dc7065688792c5a9ef331a141be35bf832862940d"
],
"keys_base64" : [
"dzdWRCauem8dUBWjiLJ87LKt66LTyLnLVqfG8Bg0yM04",
"a0HbeXeRCO9tMg6yEyqXHSV9eYmN/Z5p0wvxQQ9RLuPH",
"4vYYankDJBdIDLr4i1wPEykhXz9MjWLJg0zmxAV6u0gP",
"LIHOU9Bjgr6QJYMjUkV3D9db5F+s1yh0DKFDDQSve6AS",
"dI1IRlL0Wq9Nz53oDccGVoh5LFqe8zGhQb41v4MoYpQN"
],
"root_token" : "hvs.OILV87UWLkKo8kAq3yp0GHJD"
}
It looks like you missed one step in the document: Edit docker-compose.yml and add an environment variable override for SECRETSTORE_REVOKEROOTTOKENS
secretstore-setup:
environment:
SECRETSTORE_REVOKEROOTTOKENS: "false"
The root token will be revoked by default.
@cloudxxx8, Below is my configuration, and I have set SECRETSTORE_REVOKEROOTTOKENS: "false"
as you can see, I'm not sure why there is no root-token value as JSON output printed out by you.
For information below is my security-secretstore-setup:
security-secretstore-setup:
container_name: edgex-security-secretstore-setup
depends_on:
security-bootstrapper:
condition: service_started
vault:
condition: service_started
environment:
SECRETSTORE_REVOKEROOTTOKENS: "false"
EDGEX_ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-rest],message-bus[device-rest],redisdb[device-virtual],message-bus[device-virtual]
EDGEX_ADD_SECRETSTORE_TOKENS: ""
EDGEX_GROUP: "2001"
EDGEX_SECURITY_SECRET_STORE: "true"
EDGEX_USER: "2002"
PROXY_SETUP_HOST: edgex-security-proxy-setup
SECRETSTORE_HOST: edgex-vault
SECUREMESSAGEBUS_TYPE: redis
STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper
STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321"
STAGEGATE_DATABASE_HOST: edgex-redis
STAGEGATE_DATABASE_PORT: "6379"
STAGEGATE_DATABASE_READYPORT: "6379"
STAGEGATE_PROXYSETUP_READYPORT: "54325"
STAGEGATE_READY_TORUNPORT: "54329"
STAGEGATE_REGISTRY_HOST: edgex-core-consul
STAGEGATE_REGISTRY_PORT: "8500"
STAGEGATE_REGISTRY_READYPORT: "54324"
STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup
STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322"
STAGEGATE_WAITFOR_TIMEOUT: 60s
hostname: edgex-security-secretstore-setup
image: edgexfoundry/security-secretstore-setup:3.1.1
networks:
edgex-network: null
read_only: true
restart: always
security_opt:
- no-new-privileges:true
tmpfs:
- /run
- /vault
user: root:root
volumes:
- type: volume
source: edgex-init
target: /edgex-init
read_only: true
volume: {}
- type: bind
source: /etc/localtime
target: /etc/localtime
read_only: true
bind:
create_host_path: true
- type: bind
source: /tmp/edgex/secrets
target: /tmp/edgex/secrets
bind:
selinux: z
create_host_path: true
- type: volume
source: kuiper-sources
target: /tmp/kuiper
volume: {}
- type: volume
source: kuiper-connections
target: /tmp/kuiper-connections
volume: {}
- type: volume
source: vault-config
target: /vault/config
volume: {}
@M0hanrajp what I got is as follows:
cloud@dev-vb:~/EdgeX/edgex-compose$ docker run --rm -ti -v edgex_vault-config:/vault/config:ro alpine:latest cat /vault/config/assets/resp-init.json | json_pp { "keys" : [ "7737564426ae7a6f1d5015a388b27cecb2adeba2d3c8b9cb56a7c6f01834c8cd38", "6b41db79779108ef6d320eb2132a971d257d79898dfd9e69d30bf1410f512ee3c7", "e2f6186a79032417480cbaf88b5c0f1329215f3f4c8d62c9834ce6c4057abb480f", "2c81ce53d06382be902583235245770fd75be45facd728740ca1430d04af7ba012", "748d484652f45aaf4dcf9de80dc7065688792c5a9ef331a141be35bf832862940d" ], "keys_base64" : [ "dzdWRCauem8dUBWjiLJ87LKt66LTyLnLVqfG8Bg0yM04", "a0HbeXeRCO9tMg6yEyqXHSV9eYmN/Z5p0wvxQQ9RLuPH", "4vYYankDJBdIDLr4i1wPEykhXz9MjWLJg0zmxAV6u0gP", "LIHOU9Bjgr6QJYMjUkV3D9db5F+s1yh0DKFDDQSve6AS", "dI1IRlL0Wq9Nz53oDccGVoh5LFqe8zGhQb41v4MoYpQN" ], "root_token" : "hvs.OILV87UWLkKo8kAq3yp0GHJD" }
It looks like you missed one step in the document: Edit docker-compose.yml and add an environment variable override for SECRETSTORE_REVOKEROOTTOKENS
secretstore-setup: environment: SECRETSTORE_REVOKEROOTTOKENS: "false"
The root token will be revoked by default.
I did more tests, and confirm the SECRETSTORE_REVOKEROOTTOKENS settings has to be define in the very beginning. You might start the EdgeX before you defined the SECRETSTORE_REVOKEROOTTOKENS=false. After the first vault and secretstore-setup started, the root token will be revoked, and there is no way to get it back.
Thus, you can try:
@cloudxxx8, Thanks for the tips, it works now !.
[ Description ]
[ Documentation links ] From the documentation page regarding Obtaining the Vault Root Token from JSON ouput
docker run --rm -ti -v edgex_vault-config:/vault/config:ro alpine:latest cat /vault/config/assets/resp-init.json
[ My query ] I want to understand how can I identify root_token field value from the below JSON output.
Thanks, Mohanraj