Groups via CLI/UI work differently

[Diogo Ferreira]

Hello,

I have successfully configured LDAP authentication and defined policies.

However, when creating hashicorp groups via CLI, example:

vault write auth/ldap/groups/adm-user policies=admin

I cannot see this group in the UI, but I can see this group using CLI when running

vault list auth/ldap/groups

Keys

----

adm-user

and I can sucessfully login with a user in this group with the right policies.

On the other hand, when creating the group using the UI it doesn't even work. (the group appears in the UI but not running the command vault list auth/ldap/groups)

Expected:

Using CLI or UI should give the same result.

If I create the group on UI the group should appear when I run vault list /auth/ldap/groups and vice-versa.

Versions:

HashiCorp Vault Version: 1.1.3

Thanks

[David Adams]

Looks like the "Groups" panel under the "Access" tab in the UI is listing groups defined in the identity system (using the Chrome dev tools, I can see that it requests `v1/identity/groups/id?list=true`). It's not 100% clear to me what the best practice is for using the identity system's group concept is. Looks like the "Internal vs External Groups" topic on the identity docs (https://www.vaultproject.io/docs/secrets/identity/index.html#external-vs-internal-groups) may cover the details. But basically you would need to manually map LDAP-provider-based groups to identity system groups before anything would show up in that list.

It would be nice if you could work with groups and users of Auth providers thru the UI, but that's not possible yet. Looks like it's been discussed on Github, though: https://github.com/hashicorp/vault/issues/6067

Given how the backends work, this would probably be a complicated feature to provide in a general way. I'm hoping the OpenAPI tidbits I'm seeing in the Changelog will ultimately provide a way for a UI to use API reflection to dynamically generate an interface for a backend.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f93279a5-8bce-4797-9702-c5594a74ced6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Diogo Ferreira]

Thank you very much @David Adams

To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.

[Diogo Ferreira]

OK, so I investigated a bit deeper....

UI:

I am able to create an external group which maps to an aliase of a LDAP group mounted in auth/ldap

CLI:

I am able to write the LDAP group to /auth/ldap/groups/ by running vault write auth/ldap/groups/<group-name> -policy=admin

So here everything looks fine!

UI:

When I log in with a LDAP user which belongs to the group added in the UI, the user that I used to log in is now an entity and if I see the members of the group I created this entity belongs to that group :)

However, when running vault list auth/ldap/groups or running vault list auth/ldap/users in CLI, I receive No value found at auth/ldap/groups and No value found at auth/ldap/users.

CLI:

When I log in with a LDAP user which belongs to the group added in the CLI, the user that I used to log in is now an entity, but It doesn't appear in the group in the UI because that group doesn't even exist.

However, when running vault list auth/ldap/groups - I can see the group

when running vault list auth/ldap/users - I receive No value found at auth/ldap/users

This is definitely a bug.