secrets-manager icon indicating copy to clipboard operation
secrets-manager copied to clipboard
verified publisher icon Keeper-Security

ansible integration: KSMCache class initializes cache file path before environment variable is set

Open flybyray opened this issue 1 year ago • 2 comments

https://github.com/Keeper-Security/secrets-manager/blob/fab6c473ba1f514efc78dda35168f7653e083b1e/sdk/python/core/keeper_secrets_manager_core/core.py#L1679

https://github.com/Keeper-Security/secrets-manager/blob/fab6c473ba1f514efc78dda35168f7653e083b1e/integration/keeper_secrets_manager_ansible/keeper_secrets_manager_ansible/init.py#L175-L177

Current workarround i need to start all ansible processes with the KSM_CACHE_DIR variable set. But then all my ansible-vault keyfiles which use KSM need to have an override to set the current working directory again for their process context.

or maybe after line 177 an additional KSMCache.kms_cache_file_name = os.path.join(os.environ.get(KeeperAnsible.ENV_CACHE_DIR, ""), 'ksm_cache.bin') is needed:

                # We are using the cache, what directory should the cache file be stored in.
                cache_dir_key = KeeperAnsible.keeper_key(KeeperAnsible.KEY_CACHE_DIR)
                if task_vars.get(cache_dir_key) is not None and os.environ.get(KeeperAnsible.ENV_CACHE_DIR) is None:
                    os.environ[KeeperAnsible.ENV_CACHE_DIR] = task_vars.get(cache_dir_key)
                    KSMCache.kms_cache_file_name = os.path.join(os.environ.get(KeeperAnsible.ENV_CACHE_DIR, ""), 'ksm_cache.bin')

flybyray avatar Oct 16 '24 07:10 flybyray

We can do that. Yeah, by this point the KSMCache class has been loaded and kms_cache_file_name set in the class.

jwalstra-keeper avatar Oct 16 '24 19:10 jwalstra-keeper

... can ...

There are multiple integrations used in an ansible setup with keeper. Currently they do not play nicely with each other in a DR event. Maybe i can explain when i show you a concret error resulting from that stuff above

Error: Notation error - found multiple records with same UID ...

How that comes?

ksm when cache enabled without KSM_CACHE_DIR set would put a file ksm_cache.bin in the current directory. keeper_ansible when cache enabled AND EVEN WHEN keeper_cache_dir is set as ansible variable would ignore the value of this variable because "kms_cache_file_name set in the class". Hence keeper_ansible would use the same ksm_cache.bin in the current directory as ksm would use. But the cache files have different purpose. See your own documentation.

In DR event both need to have their own cache file if they do not share the VERY same parameters! Otherwise DR event is just D :-)

I am not sure if the addition of the one line in the code base is sufficient or usefull. Currently I decided to be very explicit with setting KSM_CACHE_DIR in several occurrences.

  1. when starting ansible...
  2. when creating a bash script for Ansible Vault Password Retrieval ), I put the KSM_CACHE_DIR in front of each ksm call.

But this is very error-prone if several supervisors have to be instructed to pay attention to it.

flybyray avatar Oct 18 '24 06:10 flybyray

We filled this issue KSM-672, and will include fix in next ansible release

m-afanasiuk avatar Oct 17 '25 15:10 m-afanasiuk