Re: [vault] Vault write command gives permission denied even with admin policy
1,259 views
Skip to first unread message
Lowe Schmidt
Jul 31, 2018, 1:50:50 AM7/31/18
to vault...@googlegroups.com
If I remember correctly, * is not regexp but matches all keys under a path.
That means that secret/* will match all _keys_ under secret but not nested paths.
If you try to write a value “secret/asd” what do you get back?
That means that secret/* will match all _keys_ under secret but not nested paths.
If you try to write a value “secret/asd” what do you get back?
On Mon, 30 Jul 2018 at 20:26, Tw3rp <rahuld...@gmail.com> wrote:
What I do?--I try doing vault login with ldap and I get logged in with the tokens and policies$ vault login -method=ldap username=<username>
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9477e525-6a96-4f7c-9a95-8fd6baa2b086%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Tw3rp
Aug 1, 2018, 1:03:43 PM8/1/18
to Vault
Hi Lowe,
I have tried to use a token only with the admin policy and the same write command works
Thanks
Carlos Vitor Barros
Aug 1, 2018, 1:48:18 PM8/1/18
to vault...@googlegroups.com
How is your map for LDAP configured?
You have to make sure the user logging in has a group or direct mapping to the admin policy you're referring to. Or else, you'll get the "default" policy when logging in.
I'd reckon that is the problem, since the token created for the admin policy works.
Regards,
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e853fc36-3849-4d1e-9cb9-faa60e115743%40googlegroups.com.
Tw3rp
Aug 1, 2018, 2:25:47 PM8/1/18
to Vault
When I login with ldap I get the following policy
Key Value
--- -----
token <token>
token_accessor <token-accessor>
token_duration 768h
token_renewable true
token_policies [admin default read-only]
token_meta_username <username>
Note that it has both admin and read only so I think there is an issue withe mapping.
On Wednesday, August 1, 2018 at 10:48:18 AM UTC-7, Carlos Vitor Barros wrote:
How is your map for LDAP configured?You have to make sure the user logging in has a group or direct mapping to the admin policy you're referring to. Or else, you'll get the "default" policy when logging in.I'd reckon that is the problem, since the token created for the admin policy works.Regards,
On Wed, Aug 1, 2018 at 7:03 PM, Tw3rp <rahuld...@gmail.com> wrote:
Hi Lowe,
I have tried to use a token only with the admin policy and the same write command works
Thanks
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Carlos Vitor Barros
Aug 1, 2018, 3:47:29 PM8/1/18
to vault...@googlegroups.com
In that case, the read-only is a more restrictive policy, so that will indeed be enforced.
Try checking the mapping and removing read-only policy for your ldap user.
Regards,
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/3abebd08-7a10-4c0a-84ff-9da2c5f54265%40googlegroups.com.
Tw3rp
Aug 1, 2018, 4:05:53 PM8/1/18
to Vault
But what happens if a user has multiple roles in ldap, isn't it common to be in multiple groups like managers and employees? then you would have managers have admin policy as well as read-only.
Carlos Vitor Barros
Aug 1, 2018, 4:30:38 PM8/1/18
to vault...@googlegroups.com
I understand the case, but I'm not sure how Vault handles "merging" the overlapping capabilities for both policies. Maybe the most specific one is used, I don't know.
You can try troubleshooting by removing the "read-only" policy. If that works, you configure your mappings for LDAP differently dependending on the role.
I'm not familiar with the LDAP auth method configuration, by the way.
Reagrds,
On Wed, Aug 1, 2018 at 10:05 PM, Tw3rp <rahuld...@gmail.com> wrote:
But what happens if a user has multiple roles in ldap, isn't it common to be in multiple groups like managers and employees? then you would have managers have admin policy as well as read-only.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f5c453bb-6532-4ce7-aa1e-134d7d0ecd14%40googlegroups.com.
Jeff Mitchell
Aug 1, 2018, 4:49:54 PM8/1/18
to Vault
Hi,
What are the full policies for admin and read-only? Have you modified default, and if so, what is your full default policy?
Best,
Jeff
On Wed, Aug 1, 2018 at 4:30 PM Carlos Vitor Barros <carlosvi...@gmail.com> wrote:
I understand the case, but I'm not sure how Vault handles "merging" the overlapping capabilities for both policies. Maybe the most specific one is used, I don't know.You can try troubleshooting by removing the "read-only" policy. If that works, you configure your mappings for LDAP differently dependending on the role.I'm not familiar with the LDAP auth method configuration, by the way.Reagrds,
On Wed, Aug 1, 2018 at 10:05 PM, Tw3rp <rahuld...@gmail.com> wrote:
But what happens if a user has multiple roles in ldap, isn't it common to be in multiple groups like managers and employees? then you would have managers have admin policy as well as read-only.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f5c453bb-6532-4ce7-aa1e-134d7d0ecd14%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAJ4BBS%3DyUNR0o0buq-HCxq4GuB9w5FEWe7S4iJK0iCC9JaqmYw%40mail.gmail.com.
Tw3rp
Aug 1, 2018, 6:18:29 PM8/1/18
to Vault
I have already share the whole policy here is a link https://groups.google.com/d/msg/vault-tool/FSGSuk31p8A/X23hm8DxBgAJ and no I have not changed the default policy
Tw3rp
Aug 1, 2018, 6:20:14 PM8/1/18
to Vault
FYI since a new thread was created sharing the original again
Error writing data to secret/v1/sadasdasd: Error making API request.
URL: PUT https://<url>/secret/v1/sadasdasd
Code: 403. Errors:
* permission denied
What I expect?
The write should work
Workaround
This works when I create a token with only admin policy and write to that path. But does not solve the ldap issue.
If anyone has any info its very much appreciated! Thanks!
Hi Jeff,
Ofcourse! it is
for policy read-only it is
path "secret/*" { policy = "read" }
for policy admin it is
# Manage auth methods broadly across Vaultpath "auth/*"{ capabilities = ["create", "read", "update", "delete", "list", "sudo"]}
# List, create, update, and delete auth methodspath "sys/auth/*"{ capabilities = ["create", "read", "update", "delete", "sudo"]}
# enable audit permissionspath "sys/audit/*"{ capabilities = ["create", "read", "update", "delete", "sudo", "list"]}
# enable secret permissionspath "secret/*"{ capabilities = ["create", "read", "update", "delete", "sudo", "list"]}
# read auth methodspath "sys/audit" { capabilities = ["list", "read", "sudo"]}
# enable stepdown permissions for stepping down a leaderpath "sys/step-down/*"{ capabilities = ["create", "read", "update", "delete", "sudo", "list"]}
# list step down permissionpath "sys/step-down" { capabilities = ["create", "update", "list", "read", "sudo"]}
# read auth methodspath "sys/auth" { capabilities = ["read"]}
path "auth/token/create" { capabilities = ["create", "read", "update", "list"]}
# List existing policiespath "sys/policy"{ capabilities = ["read"]}
# Create and manage ACL policies broadly across Vaultpath "sys/policy/*"{ capabilities = ["create", "read", "update", "delete", "list", "sudo"]}
# List, create, update, and delete key/value secretspath "secret/*"{ capabilities = ["create", "read", "update", "delete", "list", "sudo"]}
# Manage and manage secret engines broadly across Vault.path "sys/mounts/*"{ capabilities = ["create", "read", "update", "delete", "list", "sudo"]}
# Read health checkspath "sys/health"{ capabilities = ["read", "sudo"]}Thanks,
Carlos Vitor Barros
Aug 2, 2018, 4:10:07 AM8/2/18
to vault...@googlegroups.com
Hello,
You've written the read-only policy as follows:
path "secret/*" { policy = "read" }
Shouldn't it be:
path "secret/*" { capabilities = ["read"] }
Regards,
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/404a7ce6-6b2c-47b8-ba3e-dd9bea9ff4de%40googlegroups.com.
Tw3rp
Aug 7, 2018, 6:00:27 PM8/7/18
to Vault
Thanks for all your help,
I tried updating the policy to have capabilities but did not work.
what worked was having write access on specific paths on the admin policy
# admin policy
path "secret/folder/*"{ capabilities = ["create", "read", "update", "delete", "sudo", "list"]}# read-only policy
path "secret/folder*"{ capabilities = ["read","list"]}Sorry about not providing enough details earlier on. Might help someone else who might face this issue
Reply all
Reply to author
Forward
0 new messages