Open mdegel opened 1 year ago
This is functioning as designed, although the Vault documentation is severely lacking in a correct explanation of what the design is...
The identity.groups.
lookups are not only a way to avoid writing IDs in policy text - they also cause the entire path
block to conditionally only apply at run time, if the entity being checked against the policy, is a member of the relevant group.
Since your user testing
is not a member of secret_users
, the described policy does not apply to it.
Thanks for the answer. Adding the user testing
to the group secret_users
indeed solves my problem.
Just to clarify: If I use a templated ACL for resolving a group, I always must be a member of any group I'm referring to? Is there any documentation, why this is implemented that way (at least to me that's not necessarily expected behavior)? Also is the approach described feasible (having an admin group, which is allowed to manage user groups), or is it maybe the wrong concept in the first place (judging from Vaults design concept)?
If I use a templated ACL for resolving a group, I always must be a member of any group I'm referring to?
Yes.
Is there any documentation, why this is implemented that way (at least to me that's not necessarily expected behavior)?
No - or at least, if there is, I've never found it.
Also is the approach described feasible (having an admin group, which is allowed to manage user groups)
It is doable, but as you've already discovered, becomes a bit messy, since you have to block the restricted admin group from also reconfiguring policies attached to the group.
Also, if a member of secret_admin
adds someone who is supposed to have global Vault administrative powers to secret_admin
, the intended global admin will now find themself blocked from modifying the policies assigned to the secret_users
group, or being able to delete it!
Vault policies can combine in surprising ways. Making delegated administration work as you desire can be difficult.
Describe the bug When using ACL for resolving the id of a group by name for a path access in a policy, this seems not to work. Example policy:
Attempting to modify the group with this policy ends in permission denied.
To Reproduce Steps to reproduce the behavior:
Replacing the template with the group id directly (by looking it up), fixes the issue (group can be modified as intended). Example:
-->
Expected behavior Using the ACL with the template should work.
Environment: