Allow multiple aliases for the same (entity, mount_accessor) tuple - Githubissues

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management

https://www.vaultproject.io/

Other

30.84k stars 4.17k forks source link

Allow multiple aliases for the same (entity, mount_accessor) tuple #24853

Open cgaspar-deshaw opened 7 months ago

cgaspar-deshaw commented 7 months ago

Is your feature request related to a problem? Please describe. For some auth methods (e.g. Kerberos) multiple AuthN identities (someuser@REALM1 and someusere@REALM2) may map to the same AuthZ identity (someuser). With the current uniqueness constraint in place, we're forced to create duplicate entities, even though they don't differ at all.

Describe the solution you'd like Remove the (entity, mount_accessor) uniqueness constraint (https://github.com/hashicorp/vault/blob/bc9be554cb4cc991a4e8d4bc806751cb4609c984/vault/identity_store_aliases.go#L303-L307). I don't see any benefit to it, or harm in removing it.

Describe alternatives you've considered

Maintain multiple duplicate entities, which is error prone, complicates audit queries, and artificially drives up license usage
Do identity mapping in a custom auth plugin (which is what we do now, but we'd rather retire our custom code)

dnlopes commented 7 months ago

I already hit this limitation as well. While I don't exactly understand why, I'm guessing there are good reasons for this limitation be in place.