kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-08 11:25:41 +03:00
Code Issues Packages Projects Releases Wiki Activity

More why for the -orphan flag

Browse Source 
Added a little more explanation about the why for creating the nomad service token with `-orphan` to recusce confusion about the orphan=false in the policy right above the example.
This commit is contained in:
Charlie Voiselle
2017-07-19 17:58:51 -04:00
parent dedb9127a3
commit d8fdae6564
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
website/source/docs/vault-integration/index.html.md
View File

@@ -62,7 +62,7 @@ occur:
The token Nomad receives must have the capabilities listed below. An explanation
for the use of each capability is given.
```
```hcl
# Allow creating tokens under "nomad-cluster" token role. The token role name
# should be updated if "nomad-cluster" is not used.
path "auth/token/create/nomad-cluster" {
@@ -208,7 +208,7 @@ available for download.
The below example assumes Vault is accessible, unsealed and the operator has
appropriate permissions.
```shell
```
# Download the policy and token role
$ curl https://nomadproject.io/data/vault/nomad-server-policy.hcl -O -s -L
$ curl https://nomadproject.io/data/vault/nomad-cluster-role.json -O -s -L
@@ -236,9 +236,11 @@ token_renewable true
token_policies [default nomad-server]
```
`-orphan` is included above to prevent revocation of the token when its parent expires.
See the [Vault token hierarchy](https://www.vaultproject.io/docs/concepts/tokens.html#token-hierarchies-and-orphan-tokens)
documentation for more information.
The `-orphan` flag is included when generating the Nomad server token above to prevent revocation of the token when its parent expires. Vault typically creates tokens with a parent-child relationship. When an ancestor token is revoked, all of its descendant tokens—and all of their leases—are revoked as well.
When generating Nomad's vault token, we need to ensure that revocation of the parent token does not revoke Nomad's token. To prevent this behavior we specify the `-orphan` flag when we create the Nomad service vault token. All other tokens generated by Nomad for jobs will be generated using the policy default of `orphan = false`
More general information about creating orphan tokens can be found in the Vault documentation, specifically at [Token Hierarchies and Orphan Tokens](https://www.vaultproject.io/docs/concepts/tokens.html#token-hierarchies-and-orphan-tokens).
The token can then be set in the server configuration's [vault block][config],
as a command-line flag, or via an environment variable.