Open marcboudreau opened 5 years ago
They're not commonly used, but read and delete can take parameters, so this behavior is correct per se. We might be able to enhance it to allow different capabilities provided in different path statements to have different params by capability type.
Agreed. Thanks for considering this issue.
I've just run into this myself. Is there any suggested workaround?
I would assume that this must be a reasonably common situation - almost any time that parameters are required for a create/update, they would not be required for read/delete, and having read access on a path that one has write access to must be pretty common.
Also, I notice that delete works without supplying the required parameters - I haven't checked the source to see if it is being special-cased.
I've tried two separate policies on the same path. Nevertheless, when I add them to one user I had the same issue. I more or less could understand when the system combines two rules from one policy, but why the system merges two policies in one is a complete secret for me. I think the next solution will work - create 2 different users with 2 different policies one will only read another write, but as you understand it is extremely uncomfortable. It needs to be fixed. Vault v.1.4.1
They're not commonly used, but read and delete can take parameters, so this behavior is correct per se. We might be able to enhance it to allow different capabilities provided in different path statements to have different params by capability type.
With the described situation
vault read -field=parameter engine/secret
fails also. Maybe there are some other ways to read with a parameter, but I hadn't found them. Could you please give an alternative command?
Issues that are not reproducible and/or have not had any interaction for a long time are stale issues. Sometimes even the valid issues remain stale lacking traction either by the maintainers or the community. In order to provide faster responses and better engagement with the community, we strive to keep the issue tracker clean and the issue count low. In this regard, our current policy is to close stale issues after 30 days. If a feature request is being closed, it means that it is not on the product roadmap. Closed issues will still be indexed and available for future viewers. If users feel that the issue is still relevant but is wrongly closed, we encourage reopening them.
Please refer to our contributing guidelines for details on issue lifecycle.
Hi folks! Is this still an issue in newer versions of Vault? Please let me know so I can bubble it up accordingly. Thanks!
Hi folks! Is this still an issue in newer versions of Vault? Please let me know so I can bubble it up accordingly. Thanks!
Yes, this is still an issue at least in Vault 1.15.5
Describe the bug When a policy which grants the
create
,read
,update
, anddelete
capabilities, but also includes a required_parameters constraint is applied for a path. All requests, includingread
anddelete
must include the required parameters.To Reproduce Steps to reproduce the behavior:
ssh
ssh/roles/any
, which is covered by the policy in placeURL: GET http://127.0.0.1:8200/v1/ssh/roles/any Code: 403. Errors:
1 error occurred:
permission denied
$ docker exec -e VAULT_TOKEN=token vault vault read ssh/roles/any max_ttl=60m0s No value found at ssh/roles/any
Expected behavior I expected the result of step 6 (above) to be exactly the same as step 7.
Environment:
vault status
):vault version
):Server: Docker Engine - Community Engine: Version: 18.09.0 API version: 1.39 (minimum version 1.12) Go version: go1.10.4 Git commit: 4d60db4 Built: Wed Nov 7 00:55:00 2018 OS/Arch: linux/amd64 Experimental: true $ uname -a Darwin [hostname] 18.2.0 Darwin Kernel Version 18.2.0: Fri Oct 5 19:41:49 PDT 2018; root:xnu-4903.221.2~2/RELEASE_X86_64 x86_64