From 87df1c401d5fba2776f8421d20cac2f1c32f110f Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Mon, 5 Aug 2019 16:05:43 -0400
Subject: [PATCH] Fix create token sudo non-root namespace check (#7224)
 (#7260)

---
 vault/dynamic_system_view.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/vault/dynamic_system_view.go b/vault/dynamic_system_view.go
index 1cd74af4e583..18c2d2518aea 100644
--- a/vault/dynamic_system_view.go
+++ b/vault/dynamic_system_view.go
@@ -110,11 +110,13 @@ func (d dynamicSystemView) SudoPrivilege(ctx context.Context, path string, token
 
 	// The operation type isn't important here as this is run from a path the
 	// user has already been given access to; we only care about whether they
-	// have sudo
+	// have sudo. Note that we use root context because the path that comes in
+	// must be fully-qualified already so we don't want AllowOperation to
+	// prepend a namespace prefix onto it.
 	req := new(logical.Request)
 	req.Operation = logical.ReadOperation
 	req.Path = path
-	authResults := acl.AllowOperation(ctx, req, true)
+	authResults := acl.AllowOperation(namespace.RootContext(ctx), req, true)
 	return authResults.RootPrivs
 }