You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We want to use an external etcd for our sensu backen. We expected that after configuring it as described in the documentation is enough.
Current Behavior
While initializing the sensu backend, it fails with "permission denied" error. Because it requires the access to ".initialized" key too. After giving access to that key, initialization goes through without problem, but then the problem is that the sensu user has access to / key space too.
Possible Solution
Move the required ".initialized" key to "/sensu.io/.initialized".
Steps to Reproduce (for bugs)
Deploy an etcd cluster
Create sensu user and its roles as described in documentation
Init the sensu backend as described in documentation
Context
We want to limit the acces of sensu user to /sensu.io/ key space only, because we plan to have other applications using other key spaces.
Your Environment
Sensu version used (sensuctl, sensu-backend, and/or sensu-agent): 6.10.0
Here is some more information we just found out. When we check the keys in etcd, we see that only "/sensu.io/.initialized" key exists. ".initialized" key doesn't exist at all. This is really strange.
We just did a new test deployment and created a sensu user in etcd without access to ".initialized" key and during initialization we got the "permission denied" error again:
{"component":"etcd","level":"warning","logger":"etcd-client","caller":"[email protected]/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00098a1c0/etcd-1.etcd-headless.sensu-test.svc.cluster.local:2379","attempt":0,"error":"rpc error: code = PermissionDenied desc = etcdserver: permission denied","time":"2024-02-22T10:07:38Z"}
{"component":"cmd","level":"error","msg":"error seeding cluster, is cluster healthy? failed to create initializer lock: etcdserver: permission denied","time":"2024-02-22T10:07:38Z"}
After giving access to ".initialized" key, initialization goes through without problem, but as mentioned earlier, ".initialized" key doesn't exist in etcd. So it looks like sensu requires permissin to a key that it doesn't use at all?
Expected Behavior
We want to use an external etcd for our sensu backen. We expected that after configuring it as described in the documentation is enough.
Current Behavior
While initializing the sensu backend, it fails with "permission denied" error. Because it requires the access to ".initialized" key too. After giving access to that key, initialization goes through without problem, but then the problem is that the sensu user has access to
/
key space too.Possible Solution
Move the required ".initialized" key to "/sensu.io/.initialized".
Steps to Reproduce (for bugs)
Context
We want to limit the acces of sensu user to
/sensu.io/
key space only, because we plan to have other applications using other key spaces.Your Environment
The text was updated successfully, but these errors were encountered: