• vault问题记录


    vault报错

    1设置VAULT_ADDR路径时报错

     failed to create client: parse 'http://127.0.0.1:8200': first path segment in URL cannot contain colon

     解决方式:set VAULT_ADDR=http://127.0.0.1:8200  设置路径时不需要引号

    2 vault status
    Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: http: server gave HTTP response to HTTPS client

    解决方式:没有指定VAULT_ADDR,可以通过指定-address来查看vault status -address='http://*.*.*.*:8200'

    3  vault policy write app1 app1.hcl

    Error uploading policy: Error making API request.
    URL: PUT http://*.*.*.*:8200/v1/sys/policies/acl/app1
    Code: 403. Errors:
    * permission denied
    解决方式:用解封时产生的token登陆后,进行写策略操作
    4 vault中遇到解封错误,解封到第三个时报错key invalid,是因为主机和虚拟机用了同一个数据库,主机中的vault解封后,虚拟机中再解封就不能成功了
    5 vault中unseal key和token丢失后,如果是用的mysql database,将数据库中的vault相关信息删除后,可以重新初始化vault,获取新的token和unseal key。
    6 启动vault :vault server -config=vault.hcl报错

    Error initializing storage of type mysql: failed to check mysql schema exist: dial tcp *.*.*.46:3306: connect: connection timed out

    Error initializing storage of type mysql: failed to check mysql schema exist: dial tcp 10.0.1.6:3306: connect: connection refused

    数据库连接问题,不能访问

     
    spring boot中报错
    1 Caused by: org.springframework.vault.VaultException: Status 403 Forbidden [secret/test-login]: 1 error occurred:
     * permission denied
    解决方式:将路径权限加入到vault对应的app策略中,重新写入更新后的策略文件vault policy write app1 app1.hcl,不用重新生成token
    也可以通过vualt ui界面操作,需要用最初的token登陆后,才能看到policy项,对相应的策略进行更新,更新后直接生效。
     
     2 Caused by: java.lang.NullPointerException
     at com.example.logindemo.LogindemoApplication.initIt(LogindemoApplication.java:32)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:498)
     at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:363)
     at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:307)
     at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:136)

     问题和解决方式:

    登陆获取用户名密码时失败,需要在vault中允许使用vault  secrets enable database

    3 Caused by: org.springframework.vault.VaultException: Status 400 Bad Request [database/creds/app1]: unknown role: app1; nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request

    问题和解决方式:

    需要在vault中创建数据库连接和用户角色:

    vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="{{username}}:{{password}}@tcp(*.*.*.*:3306)/" allowed_roles="app1" username="test" password="123456"

    vault write database/roles/app1  db_name=my-mysql-database creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON *.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl="24h"

    4 org.springframework.vault.VaultException: Status 404 Not Found [transit/encrypt/order]: no handler for route 'transit/encrypt/order'; nested exception is org.springframework.web.client.HttpClientErrorException$NotFound: 404 Not Found
     at org.springframework.vault.client.VaultResponses.buildException(VaultResponses.java:85)
     at org.springframework.vault.core.VaultTemplate.write(VaultTemplate.java:322)
     at org.springframework.vault.core.VaultTransitTemplate.encrypt(VaultTransitTemplate.java:209)
     at org.springframework.vault.core.VaultTransitTemplate.encrypt(VaultTransitTemplate.java:188)
     at com.example.logindemo.handler.EncryptHandler.setNonNullParameter(EncryptHandler.java:35)
     at com.example.logindemo.handler.EncryptHandler.setNonNullParameter(EncryptHandler.java:19)
     at org.apache.ibatis.type.BaseTypeHandler.setParameter(BaseTypeHandler.java:69)
     at org.apache.ibatis.scripting.defaults.DefaultParameterHandler.setParameters(DefaultParameterHandler.java:87)
     at org.apache.ibatis.executor.statement.PreparedStatementHandler.parameterize(PreparedStatementHandler.java:94)
     at org.apache.ibatis.executor.statement.RoutingStatementHandler.parameterize(RoutingStatementHandler.java:64)
     at org.apache.ibatis.executor.SimpleExecutor.prepareStatement(SimpleExecutor.java:87)
     at org.apache.ibatis.executor.SimpleExecutor.doUpdate(SimpleExecutor.java:49)
     at org.apache.ibatis.executor.BaseExecutor.update(BaseExecutor.java:117)
     at org.apache.ibatis.executor.CachingExecutor.update(CachingExecutor.java:76)
     at org.apache.ibatis.session.defaults.DefaultSqlSession.update(DefaultSqlSession.java:197)
     at org.apache.ibatis.session.defaults.DefaultSqlSession.insert(DefaultSqlSession.java:184)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:498)
     at org.mybatis.spring.SqlSessionTemplate$SqlSessionInterceptor.invoke(SqlSessionTemplate.java:433)
     at com.sun.proxy.$Proxy79.insert(Unknown Source)
     at org.mybatis.spring.SqlSessionTemplate.insert(SqlSessionTemplate.java:278)
     at org.apache.ibatis.binding.MapperMethod.execute(MapperMethod.java:62)
     at org.apache.ibatis.binding.MapperProxy.invoke(MapperProxy.java:58)
     at com.sun.proxy.$Proxy80.insert(Unknown Source)

    解决方法:transit没有开启,vault中开启vault secrets enable transit

    5 Caused by: org.springframework.vault.VaultException: Status 500 Internal Server Error [database/creds/app1]: 1 error occurred:
     * Error 1045: Access denied for user 'test'@'*.*.*.*' (using password: YES)

    问题和解决方式:

    数据库权限问题,test账号和root账号权限不同,比较show grants for test的权限和show grants for root权限,test少了一个WITH GRANT OPTION

    用root用户登陆后给test用户授权grant all on *.* to 'test'@'%' with grant option;

    在vault中重新创建数据库连接和role

    vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="{{username}}:{{password}}@tcp(*.*.*.*:3306)/" allowed_roles="app1" username="test" password="123456"

    vault write database/roles/app1  db_name=my-mysql-database creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON *.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl="24h"

    6 报错mysql secrets- is too long for user name (should be no longer than 16)       

    解决办法:改mysql插件为plugin_name=mysql-legacy-database-plugin,参见https://github.com/hashicorp/vault/issues/4602

    vault write database/config/my-mysql-database plugin_name=mysql-legacy-database-plugin connection_url="{{username}}:{{password}}@tcp(*.*.*.*:3306)/" allowed_roles="app1" username="test" password="123456"

    vault write database/roles/app1  db_name=my-mysql-database creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON *.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl="24h"

    7 报错Error 1227: Access denied; you need (at least one of) the CREATE USER privilege(s) for this operation

    解决方法:给账户授权创建用户的权限。

  • 相关阅读:
    NuGet 包版本引用 | Microsoft Docs
    victoriaMetrics库之布隆过滤器
    记一次victoriaMetrics代理性能优化问题
    victoriaMetrics之byteBuffer
    面试官:什么是MySQL 事务与 MVCC 原理?
    趣说 | 数据库和缓存如何保证一致性?
    VirtualBox复制虚拟机后丢失eth0网卡的解决办法
    VirtualBox安装centos6遇到的问题
    Lambda表达式获得泛型
    springbootxjar加密打包
  • 原文地址:https://www.cnblogs.com/meadow/p/11688585.html
Copyright © 2020-2023  润新知