2

我运行本地保管库开发服务器(v0.10.1)并使用 Approle 作为身份验证方法。我创建了一个可更新的 MongoDB 秘密引擎,然后为创建的 Approle 分配一个策略,该策略将所有功能授予 path secret/bootstrapsecret/application和.database/creds/readwrite*sys/leases/*

使用spring-cloud-vault(v1.1.0),它可以在启动后正确获取 MongoDB 的用户名/密码。但是当租约达到它的 ttl 并且 spring-cloud-vault 尝试更新它时,我得到了以下异常:

2018-05-03 20:16:12.369  WARN 2921 --- [g-Cloud-Vault-1] LeaseEventPublisher$LoggingErrorListener : [RequestedSecret [path='database/creds/readwrite', mode=RENEW]] Lease [leaseId='database/creds/readwrite/200fad65-2165-9da4-206f-bb65c93cfdaa', leaseDuration=300, renewable=true] Status 403: permission denied
org.springframework.vault.VaultException: Status 403: permission denied
    at org.springframework.vault.client.VaultResponses.buildException(VaultResponses.java:62) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.vault.core.VaultTemplate.doWithSession(VaultTemplate.java:321) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.vault.core.lease.SecretLeaseContainer.renew(SecretLeaseContainer.java:519) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.vault.core.lease.SecretLeaseContainer.doRenewLease(SecretLeaseContainer.java:487) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.vault.core.lease.SecretLeaseContainer$1.renewLease(SecretLeaseContainer.java:437) [spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.vault.core.lease.SecretLeaseContainer$LeaseRenewalScheduler$1.run(SecretLeaseContainer.java:678) [spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) [spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:81) [spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_152]
    at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_152]
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_152]
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [na:1.8.0_152]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_152]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_152]
    at java.lang.Thread.run(Thread.java:748) [na:1.8.0_152]

请问我可以知道我错过了什么吗?

更新:我将路径从sys/leases/*to更改为sys/*,然后似乎一切正常。因此,我仍然想知道该案例sys还需要哪些路径。sys/leases/*

4

1 回答 1

1

正如评论中提到的,问题本身似乎已解决spring-vault-core 2.1.1.BUILD-SNAPSHOT,但仍有续租问题似乎尚未解决已过期的租约不会在秘密续订时轮换

于 2018-10-24T23:40:52.533 回答