search

nyxcharon / vault-ui

A webapp for working with Hashicorp's Vault https://github.com/hashicorp/vault
GNU General Public License v3.0
140 stars 22 forks source link

Unable to access secrets using ldap auth #22

Closed lagrianitis closed 7 years ago

lagrianitis commented 7 years ago

Hello I am using vault 0.6.2 with ldap authentication. I am stuck in the following bug/error:

Vault Policy: vault policies secret

path "sys/" { policy = "read" } path "secret/" { policy = "write" } path "secret/foo" { policy = "read" } path "auth/token/lookup-self" { policy = "read" }

vault auth -method=ldap username=testuser

Successfully authenticated! You are now logged in. The token below is already saved in the session. You do not need to "vault auth" again with the token. token: 00000000-11aa-aa00-111f-42f31e766282 token_duration: 2763360 token_policies: [default secret]

In Vault-ui I am able to authenticate using my ldap credentials:

[pid: 9462|app: 0|req: 6/7] 192.168.168.1 () {44 vars in 860 bytes} [Tue Oct 18 15:01:18 2016] GET /login?next=http%3A%2F%2F192.168.168.162%2F => generated 1790 bytes in 3 msecs (HTTP/1.1 200) 2 headers in 81 bytes (1 switches on core 1) [pid: 9464|app: 0|req: 2/8] 192.168.168.1 () {50 vars in 1054 bytes} [Tue Oct 18 15:01:23 2016] POST /login?next=http%3A%2F%2F192.168.168.162%2F => generated 209 bytes in 3601 msecs (HTTP/1.1 302) 4 headers in 295 bytes (1 switches on core 1) [pid: 9462|app: 0|req: 7/9] 192.168.168.1 () {46 vars in 927 bytes} [Tue Oct 18 15:01:27 2016] GET / => generated 2535 bytes in 1 msecs (HTTP/1.1 200) 2 headers in 81 bytes (1 switches on core 0)

I can also get the policies :

[pid: 9462|app: 0|req: 8/10] 192.168.168.1 () {44 vars in 864 bytes} [Tue Oct 18 15:04:35 2016] GET /policies => generated 3718 bytes in 7 msecs (HTTP/1.1 200) 2 headers in 81 bytes (1 switches on core 1)

Any other option will give me a permission denied with similar uwsgi exception (ie secrets:):

Traceback (most recent call last): File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 2000, in call return self.wsgi_app(environ, start_response) File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1991, in wsgi_app response = self.make_response(self.handle_exception(e)) File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1567, in handle_exception reraise(exc_type, exc_value, tb) File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1988, in wsgi_app response = self.full_dispatch_request() File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1641, in full_dispatch_request rv = self.handle_user_exception(e) File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1544, in handle_user_exception reraise(exc_type, exc_value, tb) File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1639, in full_dispatch_request rv = self.dispatch_request() File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1625, in dispatch_request return self.view_functionsrule.endpoint File "./decorators.py", line 10, in decorated_function return f(_args, *_kwargs) File "app.py", line 59, in secrets return render_template('secrets.html', secrets=vault_secrets(session['vault_token'])) File "./vault.py", line 42, in vault_secrets secrets = client.list('secret')['data']['keys'] File "/u01/app/vault-ui/env/lib/python2.7/site-packages/hvac/v1/init.py", line 56, in list return self._get('/v1/{}'.format(path), params=payload).json() File "/u01/app/vault-ui/env/lib/python2.7/site-packages/hvac/v1/init.py", line 894, in _get return self.request('get', url, **kwargs) File "/u01/app/vault-ui/env/lib/python2.7/site-packages/hvac/v1/init.py", line 936, in **request self.raise_error(response.status_code, text, errors=errors) File "/u01/app/vault-ui/env/lib/python2.7/site-packages/hvac/v1/init**.py", line 946, in raise_error raise exceptions.Forbidden(message, errors=errors) hvac.exceptions.Forbidden: permission denied [pid: 9462|app: 0|req: 9/11] 192.168.168.1 () {44 vars in 870 bytes} [Tue Oct 18 15:05:38 2016] GET /secrets => generated 0 bytes in 13 msecs (HTTP/1.1 500) 0 headers in 0 bytes (0 switches on core 0)

because of it nginx is giving a 502 bad gateway.

I can access secrets normally with my ldap user using the vault cli.

Any pointers or help would be appreciated.

nyxcharon commented 7 years ago

You get this permission denied error because of your policy. Specifically

path "secret/" {
policy = "write"
}

needs a * added to it to allow recursive lookups for nested directories (ie secret/somedir/somesecret):

path "secret/*" {
policy = "write"
}

Without the wildcard you can list secret/ fine using the cli, but secret/somedir/foo gets permission denied. Adding the wildcard allows the app (as well as the cli) do the lookups it needs on each folder.

The app needs to handle this better and just not display these paths on that page instead of the current error page. I'll work on getting that fixed.

Let me know if that policy change fixes things for you.

nyxcharon commented 7 years ago

I updated the code to handle these exceptions for secrets in 92c016695779e824d98f02ab121f948187d72d0c and everything else in 8e78e4f64263e426f677c9f8b8cc85d5c8d143b7

nyxcharon commented 7 years ago

I'm going to close this for now, If you still have issues feel free to re-open this.