Keysync Usage
39 views
Skip to first unread message
Michael Henderson
Nov 8, 2019, 11:21:54 AM11/8/19
to keywhiz-users
I am evaluating Keywhiz in a development environment: Mac, Intellij, Java 11. I am not sure how to use Keysync to retrieve the secrets I created in Keywhiz.
After some debugging I was able to run the the Keywhiz server. Used the Keywhiz CLI to create secrets. Verified by "select * from secrets" in the keywhizdb_development MySQL db.
Downloaded go and built Keysync. I can run Keysync and it creates a secrets directory, but it is empty.
$ ./keysync --config keysync-config.yaml
INFO[0000] Keysync starting release="(version not set)" server_name=C02YT5VRLVDL
INFO[0000] Loading config file=keysync-config.yaml server_name=C02YT5VRLVDL
INFO[0000] Poll interval is 1s server_name=C02YT5VRLVDL
INFO[0000] Starting syncer server_name=C02YT5VRLVDL
INFO[0000] Loaded configs count=1 server_name=C02YT5VRLVDL
ERRO[0000] Error looking up username, using fallback client=client1 error="error resolving uid for keysync-test: user: unknown user keysync-test" server_name=C02YT5VRLVDL user=keysync-test
ERRO[0000] Error looking up groupname, using fallback client=client1 error="error resolving gid for %!s(*user.Group=<nil>): group: unknown group keysync-test" group=keysync-test server_name=C02YT5VRLVDL
INFO[0000] GET /secrets 200 21.783771ms client=client1 logger=kwfs_client server_name=C02YT5VRLVDL
INFO[0000] Sync complete Added=0 Changed=0 Deleted=0 server_name=C02YT5VRLVDL
INFO[0000] Sleeping duration=1.151165071s server_name=C02YT5VRLVDL
INFO[0001] Loaded configs count=1 server_name=C02YT5VRLVDL
INFO[0001] GET /secrets 200 18.491721ms client=client1 logger=kwfs_client server_name=C02YT5VRLVDL
INFO[0001] Sync complete Added=0 Changed=0 Deleted=0 server_name=C02YT5VRLVDL
INFO[0001] Sleeping duration=1.235127272s server_name=C02YT5VRLVDL
I tried using various default_user and default_group in the keysync-config.yaml file, but still get the username/groupname error.
Any help would be appreciated.
Thanks,
Michael
Matthew McPherrin
Nov 8, 2019, 1:07:14 PM11/8/19
to Michael Henderson, keywhiz-users
The `default_user` and `default_group` refer to the Unix user/group that the files keysync writes out will be owned by
It looks like you have successfully set up Keysync and Keywhiz to work together, but your client (named `client1`) has no secrets assigned to them.
The access control model in Keywhiz is clients and secrets are both put into a "group". This is documented in the data model section of the keywhiz docs
for example, if you run:
echo "The Magic Words are Squeamish Ossifrage" | keywhiz.cli add secret --name somesecret.key
keywhiz.cli add group --name mygroup
keywhiz.cli assign secret --name somesecret.key --group mygroup
keywhiz.cli assign client --name client1 --group mygroup
now when `client1` connects, they should see somesecret.key
echo "The Magic Words are Squeamish Ossifrage" | keywhiz.cli add secret --name somesecret.key
keywhiz.cli add group --name mygroup
keywhiz.cli assign secret --name somesecret.key --group mygroup
keywhiz.cli assign client --name client1 --group mygroup
now when `client1` connects, they should see somesecret.key
--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/6b359c77-11b5-4c59-8bc7-427522cce7c9%40googlegroups.com.
Michael Henderson
Nov 8, 2019, 2:21:56 PM11/8/19
to Matthew McPherrin, keywhiz-users
Thanks for your quick response.
To run keysync I execute "./keysync --config keysync-config.yaml"
I just used the sample config from the repo. So my secret should be in the "./testing/secrets" directory?
secrets_directory: './testing/secrets'
client_directory: './testing/clients'
ca_file: './testing/cacert.crt'
yaml_ext: yaml
chown_files: false
server: 'localhost:4444'
debug: true
default_user: 'michaelhenderson'
default_group: 'staff'
api_port: 31738
poll_interval: 1s
client_directory: './testing/clients'
ca_file: './testing/cacert.crt'
yaml_ext: yaml
chown_files: false
server: 'localhost:4444'
debug: true
default_user: 'michaelhenderson'
default_group: 'staff'
api_port: 31738
poll_interval: 1s
Matthew McPherrin
Nov 8, 2019, 2:23:57 PM11/8/19
to Michael Henderson, keywhiz-users
Keysync supports multiple clients (eg, in k8s, each pod). So it would be under $secrets_directory/$client_name
from the log above your client was called client1, so the secret `foo`, assigned to `client1`, would be in ./testing/secrets/client1/foo
from the log above your client was called client1, so the secret `foo`, assigned to `client1`, would be in ./testing/secrets/client1/foo
Reply all
Reply to author
Forward
0 new messages