search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.19k stars 4.21k forks source link

Show more information in the UI for authentication/access #6067

Open jasonmcintosh opened 5 years ago

jasonmcintosh commented 5 years ago

Is your feature request related to a problem? Please describe. The UI for backends tends to be limited. As an admin, it'd be nice to be able to do a couple of things: 1) Be able to list groups in Okta path like you can do on the clii (e.g. vault list auth/okta/groups and vault list auth/approle/role/) 2) Show policies for any given auth path (e.g. vault read auth/okta/groups/somegroup) 3) Show policies for a given Auth Token (e.g. vault read auth/token) 4) Show your OWN policy information (e.g. vault read auth/token/lookup-self) 5) Ability to lookup up a token's policies (e.g. vault read auth/token/lookup token=12341234)

Describe the solution you'd like Several additions to the GUI making debugging user sessions and group membership easier

Describe alternatives you've considered We can use the CLI - and it works - just would be nice if it was in the GUI

Explain any additional use-cases Would be handy to also show the latest failed requests from the GUI vs. having to dig through external log files.

meirish commented 5 years ago

Hello @jasonmcintosh ! We know that the functionality of the UI with regards to auth methods is currently lacking, and we're working to bring more CRUD functionality (list, read, edit, delete, etc) for the auth methods and the secret methods that aren't currently supported to the UI.

Given that this will be a gradual rollout and still likely a ways off - have you seen the Web CLI? It's meant to provide an "escape hatch" for functionality that the UI doesn't yet support natively. Much of what you're asking for is possible in the web CLI today (though it's not as full-fledged as the CLI).

I've attached a gif of an example of what you can do (note the vault part of the command is optional):

web-cli-usage

ytjohn commented 5 years ago

I would also be interested in this, especially the listing of an auth method's groups, users, and associated policies. Prior to Vault UI being released, I used Goldfish, and we still keep an instance around for this aspect. Their "Users" page shows the result of doing list auth/ldap/groups, list auth/ldap/users, and then doing a read on each group and user.

image

Ultimately, the goal is an easier way to see who is part of a particular policy.

ryanelian commented 4 years ago

I am very interested in Vault UI for AppRole management (allow creating / showing AppRole ID and secret ID and mapping policies to those AppRoles...)

Right now (CMIIW) AppRole management requires CLI to operate, which can be cumbersome at times.

candlerb commented 3 years ago

+1 for a user to be able to display their own info (i.e. read auth/token/lookup-self and read identity/entity/id/<id>). I was expecting to see something like this in the user drop-down menu at the top-right.

(Aside: in the regular CLI, I would do vault token lookup and this option isn't available in the web CLI - but vault read auth/token/lookup-self does the same)