conjur icon indicating copy to clipboard operation
conjur copied to clipboard

Published 20 hours ago verified publisher icon cyberark

Host Factory created hosts don't have the policy namespace of their layer

Open jvanderhoof opened this issue 6 years ago • 3 comments

When a host is created using a host factory, the host does not include the inherited policy in its ID. This means adding a host (host-1) in the layer staging/myapp creates a host host-1 rather than staging/myapp/host-1 as would be expected.

Steps to Replicate:

  1. Start Conjur: https://github.com/conjurdemos/conjur-intro

  2. Load policy:

    ./cli conjur policy load --replace root policy/users.yml
./cli conjur policy load root policy/policy.yml
./cli conjur policy load staging policy/apps/myapp.yml

    Now we have a layer (staging/myapp) in in the staging namespace called myapp, with a Host Factory.

  3. Create a HF Token from this Host Factory:

    ./cli conjur hostfactory tokens create staging/myapp

    Grab the host factory token (ex. 37y7fja5dngtkzgdkm230r8qk325e8bnekwwqev37408jpw4te8k) from the above response.

  4. Generate a new host host-2 using the previous HF Token:

    ./cli conjur hostfactory hosts create 37y7fja5dngtkzgdkm230r8qk325e8bnekwwqev37408jpw4te8k host-2

Result A host is created host-2, which is correctly owned by the staging/myapp layer.

Expected Results The host is created using layer's policy: staging/myapp/host-2.

jvanderhoof avatar Nov 28 '18 22:11 jvanderhoof

This bug is over 2 years old, Closing

sjacobs146 avatar Apr 08 '21 17:04 sjacobs146

@dataplex, @whip113 - I've been looking into this issue today. I have a potential fix, but it skirts a design issue: a host factory token can enroll a created host into multiple layers.

My solution prepends the first layer's id to the created host's id, which meets the above issue's Expected Results. A couple of questions to the two of you:

  1. Is this a reasonable solution?
  2. Should we allow a Host Factory to enroll into multiple layers?
  3. Does it make sense for a host created by a host factory to owned by that host factory, or should the host be owned by the layer (as if the host was enrolled in that layer via policy)?

jvanderhoof avatar Oct 15 '21 21:10 jvanderhoof

Is host-factory still supported? I mean it stays in the documentationt, but other than that it seems dead. Even puppet module (where use of host factory makes some sence) does not support it any more https://github.com/cyberark/conjur-puppet.

Mamut3D avatar Nov 07 '23 15:11 Mamut3D