Unable to use Vault with ACLs + Encryption-at-Rest

Report a Dgraph Bug

When enabling vault + acl + encryption, Dgraph Alpha will not start up. It’s flagging acl-field and enc-field for the --vault superflag as invalid.

What version of Dgraph are you using?

  • build from release/v21.03 branch, with commit 1a0a5017d
    • published docker image for that commit: darknerd/dgraph:v21.03.0-1a0a5017d

Have you tried reproducing the issue with the latest release?

  • n/a as not yet released

What is the hardware spec (RAM, OS)?

  • dgraph docker image (ubuntu focal fossa)

Steps to reproduce the issue (command/config used to run Dgraph).

  • Vault server is running with required secrets and Dgraph AppRole
  • Start Dgraph using this configuration:
      addr: http://vault:8200
      acl_field: hmac_secret_file
      acl_format: raw
      enc_field: enc_key
      enc_format: raw
      path: secret/data/dgraph/alpha
      roleid_file: /dgraph/vault/role_id
      secretid_file: /dgraph/vault/secret_id

Expected behavior and actual result.

Actual Results

Valid flags are flagged as invalid:

2021/03/17 06:24:21 superflag: found invalid options in flag: roleid-file=/dgraph/vault/role_id; secretid-file=/dgraph/vault/secret_id; addr=http://vault:8200; acl-field=hmac_secret_file; acl-format=raw; enc-field=enc_key; enc-format=raw; path=secret/data/dgraph/alpha.
valid options: addr=http://localhost:8200;path=secret/data/dgraph;acl-format=base64;enc-format=base64;

Expected Results

Given the dgraph alpha --help has this to say about the --vault string superflag:

Vault options
     acl-format=base64; ACL key format, can be 'raw' or 'base64'.
     addr=http://localhost:8200; Vault server address (format: http://ip:port).
     enc-format=base64; Encryption key format, can be 'raw' or 'base64'.
     path=secret/data/dgraph; Vault KV store path (e.g. 'secret/data/dgraph' for KV V2, 'kv/dgraph' for KV V1).
     acl-field=; Vault field containing ACL key.
     enc-field=; Vault field containing encryption key.
     role-id-file=; Vault RoleID file, used for AppRole authentication.
     secret-id-file=; Vault SecretID file, used for AppRole authentication.

The expectation would be that Dgraph Alpha would start as acl-field and enc-field would be valid.

For full guide to setup vault server using docker-compose, I have it in this branch:

  • joaquin/chore-vault-superflags-contrib

Thanks @joaquin, it seems that some the validation logic in SuperFlags broke this. I’ve fixed it here: fix(flags): add empty defaults to Vault SuperFlag by ajeetdsouza · Pull Request #7598 · dgraph-io/dgraph · GitHub