我运行本地保险柜开发服务器(v0.10.1)并使用Approle作为auth方法。我创建了一个可更新的MongoDB秘密引擎,然后分配一个策略来创建Approle,它授予路径secret/bootstrap,secret/application,database/creds/readwrite*和sys/leases/*所有功能。
使用spring-cloud-vault(v1.1.0),启动后可以正确获取MongoDB的用户名/密码。但是当租约到达它的ttl并且spring-cloud-vault试图更新它时,我得到以下例外:
2018-05-03 20:16:12.369 WARN 2921 --- [g-Cloud-Vault-1] LeaseEventPublisher$LoggingErrorListener : [RequestedSecret [path='database/creds/readwrite', mode=RENEW]] Lease [leaseId='database/creds/readwrite/200fad65-2165-9da4-206f-bb65c93cfdaa', leaseDuration=300, renewable=true] Status 403: permission denied
org.springframework.vault.VaultException: Status 403: permission denied
at org.springframework.vault.client.VaultResponses.buildException(VaultResponses.java:62) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
at org.springframework.vault.core.VaultTemplate.doWithSession(VaultTemplate.java:321) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
at org.springframework.vault.core.lease.SecretLeaseContainer.renew(SecretLeaseContainer.java:519) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
at org.springframework.vault.core.lease.SecretLeaseContainer.doRenewLease(SecretLeaseContainer.java:487) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
at org.springframework.vault.core.lease.SecretLeaseContainer$1.renewLease(SecretLeaseContainer.java:437) [spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
at org.springframework.vault.core.lease.SecretLeaseContainer$LeaseRenewalScheduler$1.run(SecretLeaseContainer.java:678) [spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) [spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:81) [spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_152]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_152]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_152]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [na:1.8.0_152]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_152]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_152]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_152]
我可以知道我错过了什么案件吗?
更新:
我将路径从sys/leases/*更改为sys/*,然后似乎一切正常。所以我仍然想知道sys除sys/leases/*之外的哪些路径是必要的。
答案 0 :(得分:1)
如评论中所述,问题本身似乎已在spring-vault-core 2.1.1.BUILD-SNAPSHOT中得到解决,但仍存在租约续订问题似乎尚未解决Expired leases do are not rotated on secret renewal。