Closed telday closed 3 years ago
@telday is it possible that this is not a bug? technically the resource !:!:root
is in the account !
, which is different than the account you're sending with the request
@izgeri I opened this issue based on a slack conversation I had with @micahlee, I believe he is still looking into it and may be able to provide more info.
Okay, @telday. I was able to confirm that the reason it shows up in DAP and not in OSS by default is because of the permissions.
If you grant the membership to root as it is in DAP, !:!:root
does show up. For example, using the Conjur quick start:
$ docker-compose exec conjur bash
And in the container:
$ rails console
irb(main):001:0> Role['!:!:root'].grant_to Role['dev:user:admin'], admin_option: true
=> #<RoleMembership @values={:role_id=>"!:!:root", :member_id=>"dev:user:admin", :admin_option=>true, :ownership=>false, :policy_id=>nil}>
And then calling the endpoint returns:
$ curl -k -H "$AUTH_HEADER" https://localhost:8443/roles/dev/user/admin\?all
["dev:user:admin","!:!:root"]%
In this case, everything is working as expected. I will close this issue now. Thanks again for filing it!
Summary
When the
/roles/{account}/{kind}/{identifier}?all
endpoint is queried in Conjur the resulting list should contain!:!:root
however it does not.NOTE: This behavior is exclusive to Conjur, it does not occur when running against a DAP instance.
Steps to Reproduce
Steps to reproduce the behavior:
-a
flag to specify an accountThe response will not contain
!:!:root
Expected Results
The result should contain
!:!:root
Reproducible
Version/Tag number
Running against the
edge
docker image.