search

Caiyeon / goldfish

A HashiCorp Vault UI written with VueJS and Vault native Go API
https://vault-ui.io
Mozilla Public License 2.0
2.15k stars 166 forks source link

Bug: getting 403 on policy change approve #282

Closed VAdamec closed 6 years ago

VAdamec commented 6 years ago

Bug report:

Vault version: 0.9.5

Goldfish version: 0.9.0

Operating system: OL7

Steps to reproduce: just follow https://github.com/Caiyeon/goldfish/wiki/Production-Deployment

Expected behaviour: policy will be approved

Actual behaviour: getting 403

Temp fix

Update cap for goldfish policy to have access to sys/wrapping/wrap helps for approvals (no idea if it's correct/safe approach) but last approval get 403 for writing so still missing some piece.

Vault audit log:

... "approle","policies":["default","goldfish"], "path":"sys/wrapping/wrap", "error":"permission denied", ...

Changed policy

# [mandatory]
# store goldfish run-time settings here
# goldfish hot-reloads from this endpoint every minute
path "secret/goldfish" {
  capabilities = ["read", "update"]
}

# [optional]
# to enable transit encryption, see wiki for details
path "transit/encrypt/goldfish" {
  capabilities = ["read", "update"]
}
path "transit/decrypt/goldfish" {
  capabilities = ["read", "update"]
}

path "sys/wrapping/wrap" {
  capabilities = ["read", "update"]
}
Caiyeon commented 6 years ago

Goldfish needs the default policy, which includes wrapping and unwrapping. This is by design, and not a bug. The default policy is in the deployment steps in the wiki.

VAdamec commented 6 years ago

Well as I said, I follow production deployment, so policicies were created, but it doesn't contain any sys/wrapping section. See https://github.com/Caiyeon/goldfish/tree/master/vagrant/policies

VAdamec commented 6 years ago

goldfish/vagrant/policies/goldfish.hcl

# [mandatory]
# store goldfish run-time settings here
# goldfish hot-reloads from this endpoint every minute
path "secret/goldfish" {
  capabilities = ["read", "update"]
}

# [optional]
# to enable transit encryption, see wiki for details
path "transit/encrypt/goldfish" {
  capabilities = ["read", "update"]
}
path "transit/decrypt/goldfish" {
  capabilities = ["read", "update"]
}

path "sys/wrapping/wrap" {
  capabilities = ["read", "update"]
}

path "sys/wrapping/unwrap" {
  capabilities = ["read", "update"]
}
Mike-Dunton commented 6 years ago

@VAdamec See Step 1 here https://github.com/Caiyeon/goldfish/wiki/Production-Deployment

Specifically 

vault write auth/approle/role/goldfish role_name=goldfish policies=default,goldfish \
secret_id_num_uses=1 secret_id_ttl=5m period=24h token_ttl=0 token_max_ttl=0

Here is more info on the default policy. To view the default policy you can run the command 

vault policy read default
VAdamec commented 6 years ago

You right, my default policy was waaay different than should be (migrated from older versions of Vault). So only thing which doesn't work is transit encryption. I'll do another ticket, thanks