salt: Vault module problem in 2018.3.0
Description of Issue/Question
vault.read_secret fails when 2017 minion runs against a 2018.3 salt-master.
Minion:
[ERROR ] Failed to get token from master! Response is not a dict: Exception occurred in runner vault.generate_token: Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/salt/client/mixins.py", line 387, in _low
data['return'] = self.functions[fun](*args, **kwargs)
File "/usr/lib/python2.7/site-packages/salt/runners/vault.py", line 46, in generate_token
_validate_signature(minion_id, signature, impersonated_by_master)
File "/usr/lib/python2.7/site-packages/salt/runners/vault.py", line 129, in _validate_signature
'Could not validate token request from {0}'.format(minion_id)
AuthenticationError: Could not validate token request from **MINION-ID**
And master logs sometimes show
2018-04-17 16:17:45,168 [salt.loaded.ext.utils.vault:45 ][ERROR ][9979] Failed to get token from master! An error was returned: list indices must be integers, not unicode
2018-04-17 16:17:45,169 [salt.loaded.ext.module.vault:47 ][ERROR ][9979] Failed to read secret! CommandExecutionError: {u'error': u'list indices must be integers, not unicode'}
In trying to troubleshoot the _validate_signature function, I added debug lines to print out the minion signature and got:
2018-04-17 16:26:06,114 [salt.loaded.int.runners.vault:126 ][ERROR ][9990] Validating signature for **MINION-ID**
2018-04-17 16:26:06,115 [salt.loaded.int.runners.vault:128 ][ERROR ][9990] Got signature q����r�"w��|��A����f�x�RO-����kc6� ݨS6]c�֯�q�ӑ�70�@%5�"�\�=gE̓�/�fEp�?JI*����nݶQ";�߭��dU�9�#��C�[$� ���7�~(j�S�4#�4�M|L���?�u�.uT�T�~Y�~�
�4�ňʅhkH���E� ,�j�`= � b�!d$�t�O�.)sΩ,��H
At this stage I’m guessing there is an issue with the strings being passed, and the recent unicode updates from 2018.
<del>Additionally, to get this far, I had to correct some typos in the vault runner code for which I’ll submit a PR. </del> Corrected recently in https://github.com/saltstack/salt/commit/01a5b88e7b71b109b4708f74e1796e88eea67bf7
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 20 (20 by maintainers)
Looks like patching salt/crypto.py for both the master and minions resolved the vault signing issue for us. So this can be closed. Thanks!