How many policy versions does Conjur keep?
Is it configurable?
Hi @sashac, what do you mean by policy versions? Conjur policies can be updated, but I have not seen anything about it keeping older versions if that is what you mean
Hi,
If you will call Show a resource REST API of Conjur for policy resource you will see that Conjur keeps policies document that you’ve uploaded.
So, I’m looking for an answer how many history policy documents keeps Conjur.
Hi,
I do not think it is configurable.
I am testing this right now, I am at 150 policy versions back and it is still going.
Regards,
Andrew
Hi sashac,
I was able to go back 1000 policy version. I still have not hit a limit.
Is this a concern for you? Is there a specific amount of policy version you need?
Thanks,
Andrew
2 Likes
I suppose it can be an issue for highly volatile, from policies perspective, implementations of Conjur/DAP.
Is there a real need to keep all those versions?
It may be possible to add a configurable limit to the number of policy versions stored, but I agree with @AndrewCopeland - I can’t seem to find a limit in the code as it currently exists. I’d consider enabling this an enhancement request.
Secret values are limited to 20 per secret, however - in theory this is configurable (see here), but in practice I’m not sure anyone is using it this way. It does look like there is a programmatic way to retrieve old secret values (if you have the right permissions), based on this cucumber test case.
I think that you get wrong the test case.
It validates that if there was 21 secret updates, the first secret version is unavailable.
Versions from 2 to 21 should be available.
There is a positive test case.
Yup, that’s what the test case does - I was just using it as an example of how you can retrieve old secret values (of course, you can never retrieve the value from 21 secrets ago, since the limit is 21).
But you can
POST “/secrets/cucumber/variable/probe” with body:
“”"
v-N
“”"
where N is less than 21, and retrieve some info about an old value (I assume - it is not something I have tested, but this test case seems to indicate it would be possible).