Better validation for CONJUR_AUTHN_LOGIN
doodlesbykumbi opened this issue · comments
Is your feature request related to a problem? Please describe.
When the service broker has a CONJUR_AUTHN_LOGIN
value that is not a host (e.g. admin or any user), and attempts to create a space host using the policy template the endpoint under question errors with a 404. The 404 is a side-effect to the root cause, and so is confusing.
Here I explain the underlying error. The code for creating a space host can be found at https://github.com/cyberark/conjur-service-broker/blob/master/app/models/space_host_policy.rb#L24-L52. When the template is evaluated for a non-host CONJUR_AUTHN_LOGIN
it results in the policy file below. Note role: !host /
under !permit
, this is because ConjurClient.login_host_id
evaluates to nil
for non-host CONJUR_AUTHN_LOGIN
, see https://github.com/cyberark/conjur-service-broker/blob/master/lib/conjur_client.rb#L55. This is the underlying issue !host /
generally doesn't exist, and even if it did this would not be the intended behavior by the caller.
- !host
- !grant
role: !layer
member: !host
- !variable
id: space-host-api-key
- !permit
role: !host /
privileges: [read]
resource: !variable space-host-api-key
Describe the solution you would like
Granted, we do specify the following in the README, but it would be good to fail-fast and provide clear errors where possible.
CONJUR_AUTHN_LOGIN: the identity of a Conjur Host (of the form host/host-id) with create and update privileges on CONJUR_POLICY. This account is used to add and remove Hosts from Conjur policy as apps are deployed to or removed from the platform.
Some possible solutions are
- A clear error message with a more appropriate status code (e.g. 400) from the service broker when
CONJUR_AUTHN_LOGIN
is not a host. - Health check fails if
CONJUR_AUTHN_LOGIN
is not a host.