New Vault UI Implementation

[frederick...@made.com]

Hi all,

We've recently upgraded to the new 0.10.0 version, and thought we'd have a look into the included UI as its now included.

Setup was simple enough, however we're seeing some odd behaviour when logging in using a Github token.

We originally had the error:

```Your auth token does not have access to sys/mounts. This is necessary in order to browse secret backends.

Make sure the policy for the path sys/mounts has capabilities = ['list', 'read'].```

I've created a new policy specifically for UI access and assigned to all Github teams we allow vault login from

I've added the required sys/mounts permissions and users can now see a list of the various secret engines we have.

however when they try and drill down into a specific secret they are told they don't have permission

as an example

I have a user on team foo

the policy assigned to them looks like

      path "secret/foo/*" {
          policy = "write"
      }  

However when they go into secret initially they can't see anything, i'm guessing this is correct as they have no explicit permissions for the path secret/*

But what is best practice here?

I want original team permissions respected.

[Jeff Mitchell]

Hi there,

There's a bug with kv-v1 handling affecting the UI in 0.10. It'll be fixed in 0.10.1. (It also affects 'vault kv' for v1 mounts, just continue using  'vault write/read' for those.)

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e7369541-3a0e-49b2-ba04-cd7554d8b9a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matthew Irish]

Hello,

Though what Jeff said about a bug in 0.10 around capabilities checks in KV is true, the behavior you describe is currently intended. You have to have access from the root of the mount to be able to navigate to secrets below the root via the UI. You could provide the 'capabilities = ["list"]' for the policy paths above where you users need to operate. 

We're continuing to think of better ways to approach this, but there's no obvious answer and it's not an issues with the CLI which is purely path-based.

Cheers,

Matthew

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GFnr8xK9NbVTwXosbthhgPvmcwaM3TS%3Dzc6b_6TGvCh%3Dw%40mail.gmail.com.

[stev...@target.com]

To read secrets through UI do we need to add

path "secret/*" { capabilities = ["list"] }

?

[frederick...@made.com]

Thanks to both of you for your responses.

We'll try editing our permissions a bit to see if we can get any closer to what we want.

We'll also wait for the next version and upgrade when its released.

Thanks again