admin policy for root namespace

[Vikram Dulani]

We have two admin policies, full admin (for break glass scenarios) with path "*" and a more fine grained limited admin policy for regular administration. The limited admin policy is similar to one specified here: https://www.hashicorp.com/resources/policies-vault#admin. We added the following to the limited admin policy to make it work with Vault namespaces:

# Manage namespaces

path "sys/namespaces/*" {

   capabilities = ["create", "read", "update", "delete", "list", "sudo"]

}

However, with this I am only able to list and create namespaces at the root level. I am unable to access any of the child/nested namespaces. Also the UI doesn't render the namespace picker. Everything works great with the full admin policy. 

Note this also works when I explicitly set the namespace path in the policy i.e.

# Manage namespaces

path "ns1/sys/namespaces/*" {

   capabilities = ["create", "read", "update", "delete", "list", "sudo"]

}

# Manage namespaces

path "ns1/ns2/sys/namespaces/*" {

   capabilities = ["create", "read", "update", "delete", "list", "sudo"]

}

AFAIK, wildcarding "*" only works at the end of the path? 

We need the root admins to be able to access and manage child namespaces. Is there a way to accomplish this without using a rather dangerous full admin policy? We are on Vault 1.2.0

[Calvin Leung Huang]

Hi Vikram,

It is possible to do what you've described (i.e. a token from a parent/root accessing a child namespace) without having to explicitly set ACLs for each of those namespaces at the root level. You would have to leverage identity groups in order to do so. In essence, you would set up an identity group in the child namespace that contains the admin policies, and assign an identity entity that's in the root/parent namespace as a member of that group. Once logged in as the assigned entity, the token should then be able to perform operations on that namespace that's permitted in the policy set for that group. This HashiCorp Learn guide has more detailed information on how to get this set up.

Regards,

Calvin

[Vikram Dulani]

That works! Thank you for your help.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/321c99fc-d02c-4210-bcc2-859fc9940731%40googlegroups.com.