spring-cloud-vault icon indicating copy to clipboard operation
spring-cloud-vault copied to clipboard
verified publisher icon spring-cloud

token not updated

Open onixred opened this issue 3 years ago • 1 comments

Describe the bug Hello. I use

  • spring-cloud-vault-config-databases 3.0.4
  • spring-cloud-starter-bootstrap 3.0.4
  • spring-vault-core 2.3.2

And it works. But in logs I see following:


2022-01-14 19:53:01 | 2022-01-14 12:53:01,826 ERROR [core-project-manager,d91d3f7a4e91685d,0111c8a2532ea50e] 7 --- [http-nio-8080-exec-2] org.hibernate.engine.jdbc.spi.SqlExceptionHelper : ERROR: permission denied for schema project
-- | --
  |   | 2022-01-14 19:53:01 | 2022-01-14 12:53:01,826 WARN  [core-project-manager,d91d3f7a4e91685d,0111c8a2532ea50e] 7 --- [http-nio-8080-exec-2] org.hibernate.engine.jdbc.spi.SqlExceptionHelper : SQL Error: 0, SQLState: 42501
  |   | 2022-01-14 19:53:01 | 2022-01-14 12:53:01,752 INFO  [core-project-manager,d91d3f7a4e91685d,0111c8a2532ea50e] 7 --- [http-nio-8080-exec-2] emma.core.project.manager.server.feature.user.controllers.UserController : Start method: UserMfaDto emma.core.project.manager.server.feature.user.controllers.UserController.getMfaState()
  |   | 2022-01-14 19:53:01 | 2022-01-14 12:53:01,522 INFO  [core-project-manager,d91d3f7a4e91685d,0111c8a2532ea50e] 7 --- [http-nio-8080-exec-2] org.keycloak.adapters.KeycloakDeployment : Loaded URLs from https://keycloack.dev.emma.ms/auth/realms/emma/.well-known/openid-configuration
  |   | 2022-01-14 19:23:29 | 2022-01-14 12:23:29,159 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Token TTL exceeded validity TTL threshold. Dropping token.
  |   | 2022-01-14 19:23:29 | 2022-01-14 12:23:29,141 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Renewing token
  |   | 2022-01-14 19:23:28 | 2022-01-14 12:23:28,141 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal
  |   | 2022-01-14 19:23:28 | 2022-01-14 12:23:28,131 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Renewing token
  |   | 2022-01-14 19:23:27 | 2022-01-14 12:23:27,148 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Token TTL exceeded validity TTL threshold. Dropping token.
  |   | 2022-01-14 19:23:27 | 2022-01-14 12:23:27,131 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal
  |   | 2022-01-14 19:23:27 | 2022-01-14 12:23:27,116 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Renewing token
  |   | 2022-01-14 19:23:27 | 2022-01-14 12:23:27,115 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Renewing token
  |   | 2022-01-14 19:23:26 | 2022-01-14 12:23:26,115 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal
  |   | 2022-01-14 19:23:26 | 2022-01-14 12:23:26,114 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal
  |   | 2022-01-14 19:23:26 | 2022-01-14 12:23:26,106 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Renewing token
  |   | 2022-01-14 19:23:26 | 2022-01-14 12:23:26,105 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Renewing token
  |   | 2022-01-14 19:23:25 | 2022-01-14 12:23:25,106 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal
  |   | 2022-01-14 19:23:25 | 2022-01-14 12:23:25,104 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal
  |   | 2022-01-14 19:23:25 | 2022-01-14 12:23:25,091 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Renewing token
  |   | 2022-01-14 19:23:25 | 2022-01-14 12:23:25,090 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Renewing token
  |   | 2022-01-14 19:23:24 | 2022-01-14 12:23:24,091 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal
  |   | 2022-01-14 19:23:24 | 2022-01-14 12:23:24,089 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal
  |   | 2022-01-14 19:23:24 | 2022-01-14 12:23:24,081 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Renewing token
  |   | 2022-01-14 19:23:24 | 2022-01-14 12:23:24,076 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Renewing token
  |   | 2022-01-14 19:23:23 | 2022-01-14 12:23:23,079 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal
  |   | 2022-01-14 19:23:23 | 2022-01-14 12:23:23,075 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal

My vault configuration in bootstrap.yml:

spring:
  cloud:
    vault:
      fail-fast: true
      kv:
        enabled: false
      authentication: APPROLE
      reactive:
        enabled: false
      session:
        lifecycle:
          expiry-threshold: 60s
          refresh-before-expiry: 80s
      config.lifecycle:
        enabled: true
        min-renewal: 50s
        expiry-threshold: 45s
      appRole:
        appRolePath: core-approle
        role: core-role
        roleId: ****
        secretId: *****
      uri: https://vault.dev.emma.ms
      database:
        enabled: true
        role: core-project-manager-role
        backend: core_project_manager_db2
spring.config.import: vault://

and my role settings

vault read sys/auth/core-approle/tune
Key               Value          
default_lease_ttl 1200           
description                      
force_no_cache    false          
max_lease_ttl     1800           
token_type        default-service

token info

{
    "request_id": "f08b427a-b3f9-***",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": null,
    "wrap_info": null,
    "warnings": null,
    "auth": {
        "client_token": "s.qlzTIp4Y8tq5****",
        "accessor": "EaCZ7UyurBc6DQf***",
        "policies": [
            "core-policy",
            "default"
        ],
        "token_policies": [
            "core-policy",
            "default"
        ],
        "metadata": {
            "role_name": "core-role"
        },
        "lease_duration": 1200,
        "renewable": true,
        "entity_id": "0bf6d360-fe61-03a8-****",
        "token_type": "service",
        "orphan": true
    }
}

I use custom lease listener

  @PostConstruct
    private void postConstruct() {
        if (!leaseContainer.isPresent()) {
            log.warn("Cannot update database connection because bean SecretLeaseContainer not found");
            return;
        }
        if (!vaultConfig.isCheckConfig()) {
            log.warn("Cannot update database connection because vault config is fail");
            return;
        }
        SecretLeaseContainer secretLeaseContainer = leaseContainer.get();
        secretLeaseContainer
                .addLeaseListener((SecretLeaseEvent event) -> {
                    log.info("Start lease change for DB: source path {} and vault path {}", event.getSource()
                            .getPath(), vaultConfig.getVaultCredsPath());
                    if (!event.getSource()
                            .getPath()
                            .equalsIgnoreCase(vaultConfig.getVaultCredsPath())) {
                        return;
                    }
                    log.info("Lease change for DB: {}", event.getLease());
                    if (event instanceof SecretLeaseExpiredEvent && event.getSource()
                            .getMode() == RENEW) {
                        renew(secretLeaseContainer);

                    } else if (event instanceof SecretLeaseCreatedEvent && event.getSource()
                            .getMode() == ROTATE) {
                        refreshDatabase(event);
                    }

                });
        secretLeaseContainer.removeLeaseErrorListener(SecretLeaseEventPublisher.LoggingErrorListener.INSTANCE);
    }

why APPROLE token is not updated after the expiration?

onixred avatar Jan 14 '22 13:01 onixred

the role created for the database will be deleted if the token time is expired

I see my user for DB was deleted after dropping token.

2022-01-14 19:53:01 | 2022-01-14 12:53:01,826 ERROR [core-project-manager,d91d3f7a4e91685d,0111c8a2532ea50e] 7 --- [http-nio-8080-exec-2] org.hibernate.engine.jdbc.spi.SqlExceptionHelper : ERROR: permission denied for schema project
-- | --
  |   | 2022-01-14 19:53:01 | 2022-01-14 12:53:01,826 WARN  [core-project-manager,d91d3f7a4e91685d,0111c8a2532ea50e] 7 --- [http-nio-8080-exec-2] org.hibernate.engine.jdbc.spi.SqlExceptionHelper : SQL Error: 0, SQLState: 42501
https://keycloack.dev.emma.ms/auth/realms/emma/.well-known/openid-configuration
  |   | 2022-01-14 19:23:29 | 2022-01-14 12:23:29,159 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-1] org.springframework.vault.authentication.LifecycleAwareSessionManager : Token TTL exceeded validity TTL threshold. Dropping token.

then log

  |   | 2022-01-14 19:53:44 | 2022-01-14 12:53:44,941 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-2] emma.commons.vault.databases.service.VaultDatabasesServiceImpl : Start lease change for DB: source path core_project_manager_db2/creds/core-project-manager-role and vault path core_project_manager_db2/creds/core-project-manager-role
  |   | 2022-01-14 19:53:44 | 2022-01-14 12:53:44,936 INFO  [core-project-manager,,] 7 --- [Spring-Cloud-Vault-2] org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal

onixred avatar Jan 14 '22 13:01 onixred