oidc - access to multiple roles if have multiple groups in claim
712 views
Skip to first unread message
Tech S
May 19, 2020, 10:37:26 AM5/19/20
to Vault
Hi All,
I am using OIDC for vault authentication and currently using group claim for role based access. I have created multiple roles and mapped it to different groups using bound_claims. These groups are returned by OIDC provider.
There is a high possibility of having a user access to multiple groups/roles. Is there any way to get access to all the roles based on the groups returned by OIDC provider. Currently, we need to specify the role while logging in and in this case vault will just pick up only one role which we have specified while logging in.
Leave role blank will just check for the default role configured in auth not all the available roles.
Appreciate your help.
Vasilyev Viacheslav
May 19, 2020, 4:24:31 PM5/19/20
to Vault
imo it is not possible to have such flexible many-to-many roles/policies mapping between identity in IdP and identity entity in Vault, the more closer way to achieve something similar would be an identity group with several policies attached to it
Tech S
May 20, 2020, 10:40:05 AM5/20/20
to Vault
Hi,
I am not looking for many-to-many roles/policies mapping. Just that if claims returns multiple groups, vault should load all the roles with matching groups and provide combined access privileges.
Jeff LOMBARDO
May 21, 2020, 8:25:51 AM5/21/20
to vault...@googlegroups.com
Your definition is what is called many-to-many.
If each group returned match a policy, it sounds that you cannot, as of now, have the many policies that result of matching those many groups.
Vault sounds to stop at first match. So the recommendation here is to have this first match of a group assigned to all the necessary policies.
That is effectively not ideal cause it means that must have one master group per group interesting permutation.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/2a0ae275-babe-4c66-97f9-5df6599ea887%40googlegroups.com.
Tech S
May 21, 2020, 10:35:43 AM5/21/20
to Vault
Thanks Jeff for the explanation.
It would be difficult to create master group for those access coz there are multiple groups for project and team.
I was thinking like if all the policy can be applied based on the groups. something like
for each group in claims:
get matching role.policies
and grant access based on the list of policies.
Thanks
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
Ryan Long
May 21, 2020, 11:04:50 AM5/21/20
to Vault
I have a similar need, but using the JWT auth backend. In our case work around this limitation by using a single Role on the auth backend, and let the groups in the JWT claim determine policies. Our security model lends itself to that approach, as we can get away with providing the same token lifetimes, renewability, etc. to all users with only the policy differing.
Eric Horst
May 21, 2020, 5:51:09 PM5/21/20
to vault...@googlegroups.com
On Wed, May 20, 2020 at 7:40 AM Tech S <techsi...@gmail.com> wrote:
I am not looking for many-to-many roles/policies mapping. Just that if claims returns multiple groups, vault should load all the roles with matching groups and provide combined access privileges.
Tech S, I'm seeing some incorrect information here. This works fine for us. We have OIDC set up. When the OIDC claim for a user includes multiple groups then the user will be a member of all the claimed groups on the Vault side (if those groups exist already.) In our setup each group has a different policy. The users access will the aggregation of the policies from all the groups they are a member of.
-Eric
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Tech S
May 25, 2020, 1:49:22 PM5/25/20
to Vault
Thanks Eric. Vault is behaving differently in my case.
I have configured a default role as part of oidc auth config.
Here are 2 cases
1. When I don't specify any role at the time of login: Vault just gives access based on the default role.
2. When I specify a different role at the time of login: vault provides access based on the policies of specified role.
Am I missing any configuration here ?
Sample role structure.
Role1 :
{
"policies": [ "policy1"],
"bound_claims": {
"custom_groups": [ "group1" ]
},
"groups_claim": "groups",
"oidc_scopes": "groups"
}
Role2 :
{
"policies": [ "policy2" ],
"bound_claims": {
"custom_groups": [ "group2" ]
},
"groups_claim": "groups",
"oidc_scopes": "groups"
}
{
"policies": [ "policy1"],
"bound_claims": {
"custom_groups": [ "group1" ]
},
"groups_claim": "groups",
"oidc_scopes": "groups"
}
Role2 :
{
"policies": [ "policy2" ],
"bound_claims": {
"custom_groups": [ "group2" ]
},
"groups_claim": "groups",
"oidc_scopes": "groups"
}
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
Eric Horst
May 26, 2020, 6:42:48 PM5/26/20
to vault...@googlegroups.com
It sounds like your group memberships are not working.
For each OIDC group you will need to make an External Group in Vault which links to the OIDC group. The External Group has to be created before it is used. The external group is where you attach policies.
When an OIDC user logs into Vault, the groups in the group claim will match up to the Vault External Groups and the OIDC user will show up as a member of the Vault group. If a group name is in the groups claim but there is no pre-defined external group then it will be ignored.
You will know your claims are working when you can see the OIDC users as members in the Vault external group entities.
There is quite a bit of extra setup to do here. With all of this in place, then when you don't specify a role at time of login you will get the default role PLUS any/all roles associated with the external groups you are claimed to be a member of.
-Eric
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/56edfb8d-99dc-4455-8153-3a7cc5ef5306%40googlegroups.com.
Tech S
May 27, 2020, 11:10:49 AM5/27/20
to Vault
Hi Eric,
Yes I have not mapped any external groups. Let me try that. I'll get back to you.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/56edfb8d-99dc-4455-8153-3a7cc5ef5306%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages