Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error message says need "root" capabilities. Now called "sudo" in vault #4747

Closed
kmcvicker opened this issue Oct 4, 2018 · 3 comments
Closed

error message says need "root" capabilities. Now called "sudo" in vault #4747

kmcvicker opened this issue Oct 4, 2018 · 3 comments

Comments

@kmcvicker
Copy link

Nomad version

not sure, I run the vault server not the nomad server

Operating system and Environment details

linux

Issue

From the nomad error logs.

  • token must have one of the following capabilities ["update" "root"] on "auth/token/revoke-accessor"; has [deny]
  • token must have one of the following capabilities ["read" "root"] on "auth/token/roles/nomad-server"; has [deny]
  • token must have one of the following capabilities ["update" "root"] on "auth/token/create/nomad-server"; has [deny]

vault now uses "sudo" not "root" in the capabilities, same effect but different syntax

Reproduction steps

have the wrong permissions on vault paths.

Nomad Server logs (if appropriate)

Nomad Client logs (if appropriate)

Job file (if appropriate)
@angrycub
Copy link
Contributor

angrycub commented Oct 4, 2018
edited

There is a known issue with compatibility between older Vault versions (before Vault 0.10.0) with Nomad 0.8.5. This was corrected and additional testing to prevent regression added in Nomad 0.8.6 via #4698. Is it possible that you are encountering that combination?

Or is your concern that the label is incorrect? For the first error, the labels indicate that the token is expected to have update capability or be a root token, so root would be an appropriate capability to sense.

@angrycub
Copy link
Contributor

angrycub commented Oct 4, 2018

A follow-up comment: the sudo capability in Vault is used (when paired with an appropriate action capability—create,read,update,delete,list) to perform that action on "paths that are root-protected". Nomad does not use those paths, so does not require the sudo capability.

I will mark this resolved, but please ping back if this additional information doesn't resolve your concerns.

@angrycub angrycub closed this as completed Oct 4, 2018
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@angrycub @kmcvicker