Policy with multiple paths
539 views
Skip to first unread message
Kartikeya Puri
Jun 13, 2016, 9:25:53 AM6/13/16
to Vault
Hi,
I am trying to create a policy for users where in they get access to multiple paths i.e. his private path and a path to a "group secret" path based on his group membership. for example:
{
"name": "kartikeya.puri",
"rules": "path \"secret/usr/kartikeya.puri*\" {capabilities = [\"create\", \"list\", \"read\", \"update\", \"delete\"]} path \"secret/group/mygroup*\" {capabilities = [\"create\", \"list\", \"read\", \"update\", \"delete\"]}"
}
While I am able to create the policy using REST APIs, a token generated using this policy would not be able to access this data. Am I doing something wrong (which I am sure I am)?
Regards,
Kartik
I am trying to create a policy for users where in they get access to multiple paths i.e. his private path and a path to a "group secret" path based on his group membership. for example:
{
"name": "kartikeya.puri",
"rules": "path \"secret/usr/kartikeya.puri*\" {capabilities = [\"create\", \"list\", \"read\", \"update\", \"delete\"]} path \"secret/group/mygroup*\" {capabilities = [\"create\", \"list\", \"read\", \"update\", \"delete\"]}"
}
While I am able to create the policy using REST APIs, a token generated using this policy would not be able to access this data. Am I doing something wrong (which I am sure I am)?
Regards,
Kartik
vishal nayak
Jun 14, 2016, 2:08:55 PM6/14/16
to vault...@googlegroups.com
Hi Kartikeya,
There seems to be nothing wrong with the policy rules.
How are you generating the token?
Is the lookup on the token showing the policy name which you assigned while creating the policy using the API.
It will be helpful if you can list the steps you took.
I created a token with the above mentioned policy and was able to read the secrets successfully.
Regards,
Vishal
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/785fb3da-52d9-4571-a6bc-b1b7c0c979c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
vn
Kartikeya Puri
Jun 16, 2016, 9:29:37 AM6/16/16
to Vault
Hi Vishal,
I should have updated here earlier. It was a silly mistake from my end, wherein my web frontend had a logical flaw. I did get it to work, but later I abandoned this method and went ahead with creating two different policies ( one for user's vault and another for a shared group vault). During token generation I provide both policies as a parameter to get a token that has full access to paths specified in both policies.
Right now I am in self critic mode and refactoring (hopefully optimizing) the code as much as possible. I should be able to release it for everyone's scrutiny soon.
Regards,
Kartik
I should have updated here earlier. It was a silly mistake from my end, wherein my web frontend had a logical flaw. I did get it to work, but later I abandoned this method and went ahead with creating two different policies ( one for user's vault and another for a shared group vault). During token generation I provide both policies as a parameter to get a token that has full access to paths specified in both policies.
Right now I am in self critic mode and refactoring (hopefully optimizing) the code as much as possible. I should be able to release it for everyone's scrutiny soon.
Regards,
Kartik
Reply all
Reply to author
Forward
0 new messages