izgeri
commented
3 years ago @telday is it possible that this is not a bug? technically the resource !:!:root is in the account !, which is different than the account you're sending with the request
Closed telday closed 3 years ago
izgeri
commented
3 years ago @telday is it possible that this is not a bug? technically the resource !:!:root is in the account !, which is different than the account you're sending with the request
telday
commented
3 years ago @izgeri I opened this issue based on a slack conversation I had with @micahlee, I believe he is still looking into it and may be able to provide more info.
micahlee
commented
3 years ago Okay, @telday. I was able to confirm that the reason it shows up in DAP and not in OSS by default is because of the permissions.
If you grant the membership to root as it is in DAP, !:!:root does show up. For example, using the Conjur quick start:
$ docker-compose exec conjur bashAnd in the container:
$ rails console
irb(main):001:0> Role['!:!:root'].grant_to Role['dev:user:admin'], admin_option: true
=> #<RoleMembership @values={:role_id=>"!:!:root", :member_id=>"dev:user:admin", :admin_option=>true, :ownership=>false, :policy_id=>nil}>And then calling the endpoint returns:
$ curl -k -H "$AUTH_HEADER" https://localhost:8443/roles/dev/user/admin\?all
["dev:user:admin","!:!:root"]%In this case, everything is working as expected. I will close this issue now. Thanks again for filing it!
Summary
When the
/roles/{account}/{kind}/{identifier}?allendpoint is queried in Conjur the resulting list should contain!:!:roothowever it does not.NOTE: This behavior is exclusive to Conjur, it does not occur when running against a DAP instance.
Steps to Reproduce
Steps to reproduce the behavior:
-aflag to specify an accountThe response will not contain
!:!:rootExpected Results
The result should contain
!:!:rootReproducible
Version/Tag number
Running against the
edgedocker image.