Where can I find a guide about identity/entities/aliases?
Daniel Fluk
I'm currently experimenting with your product.
I need help to further understand the access control methods employed in your product.
I have created a few users through the CLI client on the server I've set up with my vault installation, but I have run into some issues in regards to applying access control policies correctly.
For example, I've noticed that if I apply an access control policy through the CLI via:
"vault write auth/userpass/users/test policies=admin"
And then I employ the user credentials of this account and I log in, and I can observe that I do indeed have administrative privileges.
But I then see that when I try to access the entity and view it's policies, it is blank (via the GUI)
From your documentation, it is pointed out that the write command indeed creates the user. But the behavior we witnessed causes us to question several things:
1. The created user does not exist in the GUI through another administrator account, until we log in. We are not privy or certain regarding the inner process that occurs before or after the alleged 'creation of the user'.
2. The created user's policies cannot be viewed through the GUI, but only through the CLI. We think that somehow, the 'user created' is actually an alias with a randomly generated entity appended to it, and the alias is the one that receives the policy.
3. We cannot view the 'alias'' policies as a result.
We would like to know more information regarding the user creation process, alias/entity/whathaveyou, and how to manage access control in a uniform way - whether it's a user or it's an alias.
Thank you!
Vishal Nayak
The policies that are being set in the userpass backend is part of the
token authorization workflow and not related to the identity system
workflow. The details for how the token authorization works is
detailed here https://www.vaultproject.io/docs/concepts/policies.html.
Unfortunately, as of now, there isn't an extensive guide that details
through setting policies through entities. But, here's how it works.
An entity can be created and policies set on it. An entity is
comprised of one or many aliases. For the example you are describing,
you would create an entity and attach an alias to that entity. The
combination of the user name "test" and the mount accessor for the
"auth/userpass" would define the alias. The concepts related to the
identity system are detailed here
https://www.vaultproject.io/docs/secrets/identity/index.html.
After the fact that an entity is created, if the user "test" logs in,
the token will have the respective entity ID. A lookup of the
generated token should respond with "policies" which are granted
through the backend (the "admin" policy) and "identity_policies" which
are granted through the identity of the user (the policy you would
have set on the entity).
If the user "test" logs in before the entity is created, Vault
automatically creates an entity and attaches the alias to it, but
there won't be any policies on the entity. If you assign a policy to
that entity, subsequent logins by the same user should have privileges
to the additional resources.
Hope this helps!
Regards,
Vishal
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/c19b5678-55e0-4bd2-9da0-03f307a1c178%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
vn
Daniel Fluk
Thank you for the fast response, it helped a lot!
בתאריך יום שני, 25 ביוני 2018 בשעה 05:58:10 UTC-7, מאת Daniel Fluk: