Segregate secrets per Follower

You can control which secrets are replicated to which Follower using data segregation. By default, all of the data from a Leader replicates to each Follower in a Conjur cluster. To improve the security of this data, you can segregate the data on a per-Follower basis to replicate only the sets of data that each specific Follower needs. For example, in a geographically distributed environment, an organization can limit region-specific data only to Followers that serve that region.

How it works

Data segregation uses replication sets to replicate specified sets of data only to certain Followers. Replication sets are defined in Conjur policy and use Conjur role-based access controls (RBAC) to add Conjur secrets to each set.

A replication set is assigned to a Conjur Follower during the Follower's initial configuration. Only the secrets that are included in that replication set are replicated to that Follower.

The Leader configuration creates a default replication set named Full, and replicates all secrets to Followers assigned to it. If no other replication set is assigned when a Follower is created, the Follower uses the Full replication set and the Leader replicates all data to it.

In the example shown in the following image, the Conjur Leader has four sets of data that it can replicate:

  • Data sets 1 and 2 are needed only by Followers that serve the United States.

  • Data sets 3 and 4 are needed only by Followers that serve the United Kingdom.

On the Leader, we create the following replication sets:

  • US, which replicates only data sets 1 and 2

  • UK, which replicates only data sets 3 and 4

The Full replication set exists by default and automatically contains all data on the Leader that could be replicated.

When we create a Follower (NY) that primarily serves the New York region, we specify the US replication set when generating the Follower seed to ensure that only data sets 1 and 2 are replicated to it. Likewise, when we create a Follower (London) that serves the London area, we specify the UK replication set to ensure that only data sets 3 and 4 are replicated to it. When we create a third Follower (HQ) and do not specify a replication set during its creation, the Follower is automatically assigned to the Full replication set and all data is replicated to it.

Data segregation example

Create replication sets

You use the evoke utility command evoke replication-set create to create named replication sets, which indicate the specific sets of data to replicate to a Follower. When you create a Follower seed, you assign a named replication set using the evoke command evoke seed follower --replication-set. For more information about the evoke commands, see Evoke command reference.

Data segregation configuration example

This section provides an example of segregating data in order to replicate only a set of data to a Conjur Follower. This example assumes that you have configured the environment for your Conjur cluster appropriately, deployed the Leader, and loaded policy with variables defined.

Before you begin

Before you create a Follower to associate with a specific set of data, you must:

  • Determine whether the default user name for the internal account, system, is already in use in your environment. If another account named system already exists, you can use the --internal-account flag for the evoke configure master command to specify a unique name for this account. For more information, see Evoke command reference.

  • Load policy with variables defined. For more information, see Load and manage policy.

  • Deploy the Conjur CLI and be familiar with its use. For more information, see Conjur CLI.

  • Prepare your environment and configure containers for your Conjur cluster. For more information, see Prepare Conjur environment for Docker or Podman deployment.

  • Deploy the Conjur Leader. For more information, see Configure the Conjur cluster.

Step 1: Create a replication set

On the Leader, use the evoke replication-set create command to create a replication set:

docker exec conjur-leader evoke replication-set create example-replication-set

Step 2: Add a secret to the replication set

To add a secret to a replication set, add the replication set to a role that has access to the secret.

You can add or modify the secrets associated with a replication set before or after Follower creation. To see what secrets are associated with each replication set, use the Conjur UI to export replication data. For more information, see View replicated data.
# policy/permit-example-replication.yaml

   # This policy is an example of adding a role to a replication set, which
   # cascades to any secrets this role has permissions to.

- !grant
  role: !host example-app
  member: !group
    account: system
    id: conjur/replication-sets/example-replication-set/replicated-data
docker run -it --rm \
   --network conjur \
   --volume "$PWD/cli-leader:/root" \
   cyberark/conjur-cli:8 \
   init \
   --account=my-org \
   --url=https://conjur-leader
 
docker run --rm \
   --network conjur \
   --volume "$PWD/cli-leader:/root" \
   cyberark/conjur-cli:8 \
   login \
   --username \
   --password="$(<admin_password)"
 
docker run --rm \
   --network conjur \
   --volume "$PWD/cli-leader:/root" \
   --volume "$PWD/policy:/policy" \
   cyberark/conjur-cli:8 \
   policy -b root -f /policy/permit-example-replication.yaml

Step 3: Create the Follower

  1. Create the Follower seed and ensure that you use the --replication-set flag to specify the replication set for the Follower:

    docker exec conjur-leader bash -c 'evoke seed follower --replication-set example-replication-set conjur-follower-example > /seed/follower-example.tar'
    If you do not use the --replication-set flag with the evoke seed follower command to assign an existing replication set to the Follower, the Follower is automatically assigned to the full replication set, which replicates all secrets to the Follower.
    You can assign a replication set to a Follower only during Follower seed creation. To change the replication set associated with a Follower, you must delete the existing Follower and redeploy with a new seed file.

  2. Unpack the seed and configure the Follower. For more information, see Deploy the Conjur Follower.

Step 4: Update the secret 

docker run --rm \
   --network conjur \
   --volume "$PWD/cli-leader:/root" \
   cyberark/conjur-cli:8 \
   variable set -i id -v value

View replicated data

You can view the data that is replicated to each Follower using the Export Replicated Data page in the Conjur UI.

Prerequisite

To view the replicated data, you must be granted the !user admin role.

- !grant
  role: !user admin
  members:
  - !user admin1

View replication data

  1. In the left navigation, go to Secrets > Replicated Data.

  2. If a data export link already exists for your current configuration, click the link under the Export Data button to download the CSV file.

  3. If no exported data link is available or you want to generate a new data export, click the Export Data button to generate a CSV file containing the replication data.

    This process might take several minutes. When the exported data is ready to download, a timestamped link to the CSV file appears under the Export Data button.

  4. Click the link to download the file.

    The CSV file lists each Follower with its corresponding replication set and the policies and variables assigned to that replication set.

For more information about the Conjur UI, see User interface.

Troubleshoot data segregation

To test and troubleshoot issues with data segregation, see Troubleshoot data segregation.