Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for removing service instances, orgs, spaces #184

Open
izgeri opened this issue Jul 8, 2020 · 2 comments
Open

Add support for removing service instances, orgs, spaces #184

izgeri opened this issue Jul 8, 2020 · 2 comments

Comments

@izgeri
Copy link
Contributor

izgeri commented Jul 8, 2020

Is your feature request related to a problem? Please describe.

Migrated from pivotal-cf/docs-cyberark-conjur-service-broker#23 as reported by @whip113

It does not appear that the service broker will delete unneeded policy after a service instance, org or space is deleted. This will lead to database bloat and a large number of stale entries. The documentation currently doesn't provide any guidance on how to clean this up, and the action of loading a delete policy is manual and tedious.

Describe the solution you would like

[@whip113 - do you have any proposed solutions?]

Describe alternatives you have considered

A clear and concise description of any alternative solutions or features that may be related to this that
you have considered.

Additional context

Add any other context information about the feature request here.

@izgeri
Copy link
Contributor Author

izgeri commented Jul 8, 2020

Just noting here that in designing this service, we did consciously choose to not delete policy because it could lead to unexpected behavior. Some examples of the kind of behavior that would be concerning:

  • if someone loads additional custom policy in the CONJUR_POLICY branch that may also be removed if branches are deleted on deprovision
  • if a host that is auto-created on bind or provision is (for some reason) used in another non-cloud foundry app, and on deprovision or unbind the host is deleted
  • (maybe less importantly, because this could be studied / validated) if entitlements are manually loaded in a separate policy branch (eg root) and a host or layer is later auto-deleted by the service broker, when the user attempts to reload the entitlement policy with changes it may fail when it doesn't find an included host or layer

If we have specific concerns about DAP / Conjur DB size in practice, it would be good to understand the scale that we're worried about so that we can enhance our load / performance tests to validate whether this will actually be a problem.

@whip113
Copy link

whip113 commented Jul 10, 2020

Describe the solution you would like
Upon restaging an app, or deleting a service instance, ask the user if they'd like to delete the associated DAP policies

Describe alternatives you have considered
At a minimum, document the manual process for cleaning up the policies. This is what we've done with VCS, which also does not support deletion, so at least we have precedence. Note that customers will frown on this approach though. Still, it is better that they know about it in advance and have the tools, cumbersome and clunky as they are, to deal with the challenge.

Additional context
Security teams tend to prefer not to leave loose ends all over the place. Conversations with auditors are challenging enough, and having to answer to why there are N number of PCF apps that have access to secrets but don't "exist" in PCF is just making the job of our champions that much harder.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants