Unable to use Vault with ACLs + Encryption-at-Rest

joaquin · March 17, 2021, 6:45am

Report a Dgraph Bug

When enabling vault + acl + encryption, Dgraph Alpha will not start up. It’s flagging acl-field and enc-field for the --vault superflag as invalid.

What version of Dgraph are you using?

build from release/v21.03 branch, with commit 1a0a5017d
- published docker image for that commit: darknerd/dgraph:v21.03.0-1a0a5017d

Have you tried reproducing the issue with the latest release?

n/a as not yet released

What is the hardware spec (RAM, OS)?

dgraph docker image (ubuntu focal fossa)

Steps to reproduce the issue (command/config used to run Dgraph).

Vault server is running with required secrets and Dgraph AppRole

Start Dgraph using this configuration:

vault:
  addr: http://vault:8200
  acl_field: hmac_secret_file
  acl_format: raw
  enc_field: enc_key
  enc_format: raw
  path: secret/data/dgraph/alpha
  roleid_file: /dgraph/vault/role_id
  secretid_file: /dgraph/vault/secret_id
security:
  whitelist: 10.0.0.0/8,172.0.0.0/8,192.168.0.0/16

Expected behavior and actual result.

Actual Results

Valid flags are flagged as invalid:

2021/03/17 06:24:21 superflag: found invalid options in flag: roleid-file=/dgraph/vault/role_id; secretid-file=/dgraph/vault/secret_id; addr=http://vault:8200; acl-field=hmac_secret_file; acl-format=raw; enc-field=enc_key; enc-format=raw; path=secret/data/dgraph/alpha.
valid options: addr=http://localhost:8200;path=secret/data/dgraph;acl-format=base64;enc-format=base64;

Expected Results

Given the dgraph alpha --help has this to say about the --vault string superflag:

Vault options
     acl-format=base64; ACL key format, can be 'raw' or 'base64'.
     addr=http://localhost:8200; Vault server address (format: http://ip:port).
     enc-format=base64; Encryption key format, can be 'raw' or 'base64'.
     path=secret/data/dgraph; Vault KV store path (e.g. 'secret/data/dgraph' for KV V2, 'kv/dgraph' for KV V1).
     acl-field=; Vault field containing ACL key.
     enc-field=; Vault field containing encryption key.
     role-id-file=; Vault RoleID file, used for AppRole authentication.
     secret-id-file=; Vault SecretID file, used for AppRole authentication.

The expectation would be that Dgraph Alpha would start as acl-field and enc-field would be valid.

joaquin · March 17, 2021, 6:49am

For full guide to setup vault server using docker-compose, I have it in this branch:

joaquin/chore-vault-superflags-contrib

ajeet · March 17, 2021, 10:26am

Thanks @joaquin, it seems that some the validation logic in SuperFlags broke this. I’ve fixed it here: fix(flags): add empty defaults to Vault SuperFlag by ajeetdsouza · Pull Request #7598 · dgraph-io/dgraph · GitHub

Topic		Replies	Views
Dgraph decrypt command has ACL options Dgraph status:accepted , kind:bug , ticket:created	1	471	April 8, 2021
Dgraph Live has Vault ACL secret options Dgraph status:accepted , kind:bug , ticket:created	3	479	April 8, 2021
Dgraph restore should not have ACL options Dgraph status:accepted , kind:bug , ticket:created	1	518	April 8, 2021
Dgraph Vault Integration cannot authenticate using `bound_cidr_list` Dgraph status:accepted , kind:bug , ticket:created	2	416	March 17, 2021
Vault path is altered causing 403 permission denied Issues status:accepted , kind:bug , ticket:created	0	2613	March 18, 2021