search

edgexfoundry / edgex-compose

EdgeX Foundry Docker Compose release compose files and tools for building EdgeX compose files
Apache License 2.0
82 stars 119 forks source link

How to identify root_token field value from JSON output. #445

Closed M0hanrajp closed 2 months ago

M0hanrajp commented 3 months ago

[ Description ]

[ Documentation links ] From the documentation page regarding Obtaining the Vault Root Token from JSON ouput

[ My query ] I want to understand how can I identify root_token field value from the below JSON output.

mpunix@LIN-MP22QN1X:~/edgex/docker_security_true/edgex-compose-3.1.1$ docker run --rm -ti -v edgex_vault-config:/vault/config:ro alpine:latest cat /vault/config/assets/resp-init.json | json_pp
{
   "keys" : [
      "c9438a342d70dd4359308fe5c4a74b222156367032b8bbce34722a07b993213deb",
      "7875ab547f503c478ed9cb07da8d5c60a00470ff4d00d8c4aa1800c1277e1d190b",
      "58950f3b4b5cd2fbbd99f1ef83c786ee5a475c3f44c1377d75d21d5eb692dc60fb",
      "275d1faf14752e4f59e0f656ba28bf0fdd2a4bb5f3a4a6bcf16daeb29b68d74027",
      "6ad205b7f59cf3e45f19b49d7c6c0a9120691c2d821da71def8dd58505f9941d58"
   ],
   "keys_base64" : [
      "yUOKNC1w3UNZMI/lxKdLIiFWNnAyuLvONHIqB7mTIT3r",
      "eHWrVH9QPEeO2csH2o1cYKAEcP9NANjEqhgAwSd+HRkL",
      "WJUPO0tc0vu9mfHvg8eG7lpHXD9EwTd9ddIdXraS3GD7",
      "J10frxR1Lk9Z4PZWuii/D90qS7XzpKa88W2uspto10An",
      "atIFt/Wc8+RfGbSdfGwKkSBpHC2CHacd743VhQX5lB1Y"
   ]
}

Thanks, Mohanraj

cloudxxx8 commented 3 months ago

@M0hanrajp what I got is as follows:

cloud@dev-vb:~/EdgeX/edgex-compose$ docker run --rm -ti -v edgex_vault-config:/vault/config:ro alpine:latest cat /vault/config/assets/resp-init.json | json_pp
{
   "keys" : [
      "7737564426ae7a6f1d5015a388b27cecb2adeba2d3c8b9cb56a7c6f01834c8cd38",
      "6b41db79779108ef6d320eb2132a971d257d79898dfd9e69d30bf1410f512ee3c7",
      "e2f6186a79032417480cbaf88b5c0f1329215f3f4c8d62c9834ce6c4057abb480f",
      "2c81ce53d06382be902583235245770fd75be45facd728740ca1430d04af7ba012",
      "748d484652f45aaf4dcf9de80dc7065688792c5a9ef331a141be35bf832862940d"
   ],
   "keys_base64" : [
      "dzdWRCauem8dUBWjiLJ87LKt66LTyLnLVqfG8Bg0yM04",
      "a0HbeXeRCO9tMg6yEyqXHSV9eYmN/Z5p0wvxQQ9RLuPH",
      "4vYYankDJBdIDLr4i1wPEykhXz9MjWLJg0zmxAV6u0gP",
      "LIHOU9Bjgr6QJYMjUkV3D9db5F+s1yh0DKFDDQSve6AS",
      "dI1IRlL0Wq9Nz53oDccGVoh5LFqe8zGhQb41v4MoYpQN"
   ],
   "root_token" : "hvs.OILV87UWLkKo8kAq3yp0GHJD"
}

It looks like you missed one step in the document: Edit docker-compose.yml and add an environment variable override for SECRETSTORE_REVOKEROOTTOKENS

  secretstore-setup:
    environment:
      SECRETSTORE_REVOKEROOTTOKENS: "false"

The root token will be revoked by default.

M0hanrajp commented 3 months ago

@cloudxxx8, Below is my configuration, and I have set SECRETSTORE_REVOKEROOTTOKENS: "false" as you can see, I'm not sure why there is no root-token value as JSON output printed out by you.

For information below is my security-secretstore-setup:

  security-secretstore-setup:
    container_name: edgex-security-secretstore-setup
    depends_on:
      security-bootstrapper:
        condition: service_started
      vault:
        condition: service_started
    environment:
      SECRETSTORE_REVOKEROOTTOKENS: "false"
      EDGEX_ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-rest],message-bus[device-rest],redisdb[device-virtual],message-bus[device-virtual]
      EDGEX_ADD_SECRETSTORE_TOKENS: ""
      EDGEX_GROUP: "2001"
      EDGEX_SECURITY_SECRET_STORE: "true"
      EDGEX_USER: "2002"
      PROXY_SETUP_HOST: edgex-security-proxy-setup
      SECRETSTORE_HOST: edgex-vault
      SECUREMESSAGEBUS_TYPE: redis
      STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper
      STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321"
      STAGEGATE_DATABASE_HOST: edgex-redis
      STAGEGATE_DATABASE_PORT: "6379"
      STAGEGATE_DATABASE_READYPORT: "6379"
      STAGEGATE_PROXYSETUP_READYPORT: "54325"
      STAGEGATE_READY_TORUNPORT: "54329"
      STAGEGATE_REGISTRY_HOST: edgex-core-consul
      STAGEGATE_REGISTRY_PORT: "8500"
      STAGEGATE_REGISTRY_READYPORT: "54324"
      STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup
      STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322"
      STAGEGATE_WAITFOR_TIMEOUT: 60s
    hostname: edgex-security-secretstore-setup
    image: edgexfoundry/security-secretstore-setup:3.1.1
    networks:
      edgex-network: null
    read_only: true
    restart: always
    security_opt:
    - no-new-privileges:true
    tmpfs:
    - /run
    - /vault
    user: root:root
    volumes:
    - type: volume
      source: edgex-init
      target: /edgex-init
      read_only: true
      volume: {}
    - type: bind
      source: /etc/localtime
      target: /etc/localtime
      read_only: true
      bind:
        create_host_path: true
    - type: bind
      source: /tmp/edgex/secrets
      target: /tmp/edgex/secrets
      bind:
        selinux: z
        create_host_path: true
    - type: volume
      source: kuiper-sources
      target: /tmp/kuiper
      volume: {}
    - type: volume
      source: kuiper-connections
      target: /tmp/kuiper-connections
      volume: {}
    - type: volume
      source: vault-config
      target: /vault/config
      volume: {}

@M0hanrajp what I got is as follows:

cloud@dev-vb:~/EdgeX/edgex-compose$ docker run --rm -ti -v edgex_vault-config:/vault/config:ro alpine:latest cat /vault/config/assets/resp-init.json | json_pp
{
   "keys" : [
      "7737564426ae7a6f1d5015a388b27cecb2adeba2d3c8b9cb56a7c6f01834c8cd38",
      "6b41db79779108ef6d320eb2132a971d257d79898dfd9e69d30bf1410f512ee3c7",
      "e2f6186a79032417480cbaf88b5c0f1329215f3f4c8d62c9834ce6c4057abb480f",
      "2c81ce53d06382be902583235245770fd75be45facd728740ca1430d04af7ba012",
      "748d484652f45aaf4dcf9de80dc7065688792c5a9ef331a141be35bf832862940d"
   ],
   "keys_base64" : [
      "dzdWRCauem8dUBWjiLJ87LKt66LTyLnLVqfG8Bg0yM04",
      "a0HbeXeRCO9tMg6yEyqXHSV9eYmN/Z5p0wvxQQ9RLuPH",
      "4vYYankDJBdIDLr4i1wPEykhXz9MjWLJg0zmxAV6u0gP",
      "LIHOU9Bjgr6QJYMjUkV3D9db5F+s1yh0DKFDDQSve6AS",
      "dI1IRlL0Wq9Nz53oDccGVoh5LFqe8zGhQb41v4MoYpQN"
   ],
   "root_token" : "hvs.OILV87UWLkKo8kAq3yp0GHJD"
}

It looks like you missed one step in the document: Edit docker-compose.yml and add an environment variable override for SECRETSTORE_REVOKEROOTTOKENS

  secretstore-setup:
    environment:
      SECRETSTORE_REVOKEROOTTOKENS: "false"

The root token will be revoked by default.

cloudxxx8 commented 3 months ago

I did more tests, and confirm the SECRETSTORE_REVOKEROOTTOKENS settings has to be define in the very beginning. You might start the EdgeX before you defined the SECRETSTORE_REVOKEROOTTOKENS=false. After the first vault and secretstore-setup started, the root token will be revoked, and there is no way to get it back.

Thus, you can try:

  1. docker compose down -v (clean up everyt)
  2. confirme the SECRETSTORE_REVOKEROOTTOKENS=false is set
  3. docker compose up -d (clean start)
  4. docker run --rm -ti -v edgex_vault-config:/vault/config:ro alpine:latest cat /vault/config/assets/resp-init.json | json_pp
M0hanrajp commented 2 months ago

@cloudxxx8, Thanks for the tips, it works now !.