Conjur policy idempotency and 409 Conflict

jburns · February 12, 2020, 6:28am

Hi, new DAP user here – in the midst of beginning to leverage its functionality for apps running in Kubernetes.

My plan for ongoing policy management is to have an automated process – using application metadata (such as deployment name, authorized namespaces, required safes, etc.) in the form of JSON – render a single policy file that will be loaded as root. This means everything is re-applied each time this process kicks off.

My understanding is that policies could be re-applied safely any number of times, meaning that in the process of applying the new root policy, new resources will be created and already-present resources will be ignored. However, when I attempt to use the conjur-cli to upload the policy after the first run (conjur policy load root root-policy.yaml) I am unable:

postgres 21662 - [meta sequenceId="23"] [4-1] ERROR:  duplicate key value violates unique constraint "permissions_pkey"
postgres 21662 - [meta sequenceId="24"] [4-2] DETAIL:  Key (resource_id, role_id, privilege)=(neovest:webservice:conjur/authn-k8s/ut-dev, neovest:layer:conjur/authn-k8s/ut-dev/apps, authenticate) already exists.
postgres 21662 - [meta sequenceId="25"] [4-3] STATEMENT:  INSERT INTO permissions ( resource_id, privilege, role_id, policy_id ) SELECT resource_id, privilege, role_id, policy_id FROM policy_loader_9a410bf86685aedc.permissions
conjur-possum 21531 - [meta sequenceId="26"] [origin=10.2.30.99] [request_id=f4d421ee-6f21-4422-b624-0f98ce6adcb7] [tid=11508] Completed 409 Conflict in 272ms (Views: 0.7ms)
nginx - - [meta sequenceId="28"] 10.2.30.99 "PUT /policies/neovest/policy/root HTTP/1.1" 409 108 "-" "rest-client/2.1.0 (linux-gnu x86_64) ruby/2.5.1p57" 0.280 0.280

The pertinent section of the root policy:

- !policy
  id: conjur/authn-k8s/ut-dev
  body:
  - !variable kubernetes/service-account-token
  - !variable kubernetes/ca-cert
  - !variable kubernetes/api-url
  - !variable ca/key
  - !variable ca/cert
  - !webservice
  - !policy
    id: apps
    body:
    - !layer
    - !host
      id: dap/service_account/dap-follower
      annotations:
        kubernetes/authentication-container-name: authenticator
    - !grant
      role: !layer
      member: !host dap/service_account/dap-follower
  - !permit
    role: !layer apps
    privilege: [ authenticate ]
    resource: !webservice

Thanks in advance for any insights and clarification you can provide.

AndrewCopeland · February 12, 2020, 7:50pm

Hi Josh,

I was unable to replicate this issue in my lab. I copied your exact policy and loaded it a couple of times. My output is below:

root@64facbfd8b68:/# cat test.yml
- !policy
  id: conjur/authn-k8s/ut-dev
  body:
  - !variable kubernetes/service-account-token
  - !variable kubernetes/ca-cert
  - !variable kubernetes/api-url
  - !variable ca/key
  - !variable ca/cert
  - !webservice
  - !policy
    id: apps
    body:
    - !layer
    - !host
      id: dap/service_account/dap-follower
      annotations:
        kubernetes/authentication-container-name: authenticator
    - !grant
      role: !layer
      member: !host dap/service_account/dap-follower
  - !permit
    role: !layer apps
    privilege: [ authenticate ]
    resource: !webservice
root@64facbfd8b68:/# conjur policy load root test.yml
Enter your username to log into Conjur: admin
Please enter your password (it will not be echoed):
Loaded policy 'root'
{
  "created_roles": {
    "conjur:host:conjur/authn-k8s/ut-dev/apps/dap/service_account/dap-follower": {
      "id": "conjur:host:conjur/authn-k8s/ut-dev/apps/dap/service_account/dap-follower",
      "api_key": "3x1d4n81ecbaaq1j53w5x3ka0182g812vc29yktcj357kr8p1t35p9"
    }
  },
  "version": 12
}
root@64facbfd8b68:/# conjur policy load root test.yml
Loaded policy 'root'
{
  "created_roles": {
  },
  "version": 13
}

What commands do you think I should run to replicate this issue.

Regards,
Andrew

jburns · February 12, 2020, 8:48pm

Oops, this was a result of some mistaken template-rending logic on my part; in the section where I was intending to grant authn-k8s authentication privileges for the webservice to the K8s apps that needed them, I had copied the line that assigned privileges for the ‘apps’ layer as a starting point and forgot to circle back around and actually template it out. So that layer was being assigned ‘authenticate’ privileges multiple times.

I’m actually quite glad that Conjur isn’t silent about this. Thanks @AndrewCopeland for taking a look at that.