Hi, new DAP user here – in the midst of beginning to leverage its functionality for apps running in Kubernetes.
My plan for ongoing policy management is to have an automated process – using application metadata (such as deployment name, authorized namespaces, required safes, etc.) in the form of JSON – render a single policy file that will be loaded as root. This means everything is re-applied each time this process kicks off.
My understanding is that policies could be re-applied safely any number of times, meaning that in the process of applying the new root policy, new resources will be created and already-present resources will be ignored. However, when I attempt to use the conjur-cli to upload the policy after the first run (conjur policy load root root-policy.yaml) I am unable:
postgres 21662 - [meta sequenceId="23"] [4-1] ERROR: duplicate key value violates unique constraint "permissions_pkey" postgres 21662 - [meta sequenceId="24"] [4-2] DETAIL: Key (resource_id, role_id, privilege)=(neovest:webservice:conjur/authn-k8s/ut-dev, neovest:layer:conjur/authn-k8s/ut-dev/apps, authenticate) already exists. postgres 21662 - [meta sequenceId="25"] [4-3] STATEMENT: INSERT INTO permissions ( resource_id, privilege, role_id, policy_id ) SELECT resource_id, privilege, role_id, policy_id FROM policy_loader_9a410bf86685aedc.permissions conjur-possum 21531 - [meta sequenceId="26"] [origin=10.2.30.99] [request_id=f4d421ee-6f21-4422-b624-0f98ce6adcb7] [tid=11508] Completed 409 Conflict in 272ms (Views: 0.7ms) nginx - - [meta sequenceId="28"] 10.2.30.99 "PUT /policies/neovest/policy/root HTTP/1.1" 409 108 "-" "rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57" 0.280 0.280
The pertinent section of the root policy:
- !policy id: conjur/authn-k8s/ut-dev body: - !variable kubernetes/service-account-token - !variable kubernetes/ca-cert - !variable kubernetes/api-url - !variable ca/key - !variable ca/cert - !webservice - !policy id: apps body: - !layer - !host id: dap/service_account/dap-follower annotations: kubernetes/authentication-container-name: authenticator - !grant role: !layer member: !host dap/service_account/dap-follower - !permit role: !layer apps privilege: [ authenticate ] resource: !webservice
Thanks in advance for any insights and clarification you can provide.