Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Required ".initialized" key in external etcd gives sensu user access to all key spaces #5047

Open
bitnik opened this issue Jan 29, 2024 · 1 comment · May be fixed by #5073
Open

Required ".initialized" key in external etcd gives sensu user access to all key spaces #5047

bitnik opened this issue Jan 29, 2024 · 1 comment · May be fixed by #5073
Assignees

Comments

@bitnik
Copy link

bitnik commented Jan 29, 2024

Expected Behavior

We want to use an external etcd for our sensu backen. We expected that after configuring it as described in the documentation is enough.

Current Behavior

While initializing the sensu backend, it fails with "permission denied" error. Because it requires the access to ".initialized" key too. After giving access to that key, initialization goes through without problem, but then the problem is that the sensu user has access to / key space too.

Possible Solution

Move the required ".initialized" key to "/sensu.io/.initialized".

Steps to Reproduce (for bugs)

  1. Deploy an etcd cluster
  2. Create sensu user and its roles as described in documentation
  3. Init the sensu backend as described in documentation

Context

We want to limit the acces of sensu user to /sensu.io/ key space only, because we plan to have other applications using other key spaces.

Your Environment

  • Sensu version used (sensuctl, sensu-backend, and/or sensu-agent): 6.10.0
  • etcd version: 3.5.11
  • Installation method (packages, binaries, docker etc.): docker
@bitnik
Copy link
Author

bitnik commented Feb 22, 2024

Hello,

Here is some more information we just found out. When we check the keys in etcd, we see that only "/sensu.io/.initialized" key exists. ".initialized" key doesn't exist at all. This is really strange.

We just did a new test deployment and created a sensu user in etcd without access to ".initialized" key and during initialization we got the "permission denied" error again:

{"component":"etcd","level":"warning","logger":"etcd-client","caller":"[email protected]/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00098a1c0/etcd-1.etcd-headless.sensu-test.svc.cluster.local:2379","attempt":0,"error":"rpc error: code = PermissionDenied desc = etcdserver: permission denied","time":"2024-02-22T10:07:38Z"}
{"component":"cmd","level":"error","msg":"error seeding cluster, is cluster healthy? failed to create initializer lock: etcdserver: permission denied","time":"2024-02-22T10:07:38Z"}

After giving access to ".initialized" key, initialization goes through without problem, but as mentioned earlier, ".initialized" key doesn't exist in etcd. So it looks like sensu requires permissin to a key that it doesn't use at all?

@SudhanshuBawane SudhanshuBawane linked a pull request Dec 5, 2024 that will close this issue
@SudhanshuBawane SudhanshuBawane linked a pull request Dec 5, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants