Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Fix create token sudo non-root namespace check #7224

Merged
merged 4 commits into from
Aug 5, 2019
Merged

Fix create token sudo non-root namespace check #7224

merged 4 commits into from
Aug 5, 2019

Conversation

michelvocks
Copy link
Contributor

The SudoPrivilege check expects a path without a namespace prefix since it calls AllowOperation which is already namespace-aware and checks by default the full context namespace path: https://github.com/hashicorp/vault/blob/master/vault/acl.go#L342

The consequence is that you have to define a separate policy to apply sudo rights for the token/create endpoint e.g.:

This policy allows you to create tokens but only without sudo-rights:

vault policy write -ns=test pol1 -<<EOF
path "auth/token/*" {
    capabilities=["sudo", "create", "update", "delete", "list", "read"]
}
EOF

You can only get sudo-rights by explicitly specifying the namespace:

vault policy write -ns=test pol1 -<<EOF
path "auth/token/*" {
    capabilities=["sudo", "create", "update", "delete", "list", "read"]
}

path "test/auth/token/*" {
    capabilities=["sudo", "create", "update", "delete", "list", "read"]
}
EOF

We should add additional tests on the enterprise side to make sure that this change doesn't introduce other side effects.

@michelvocks michelvocks added this to the 1.2.1 milestone Jul 31, 2019
calvn
calvn reviewed Jul 31, 2019
View reviewed changes
vault/dynamic_system_view.go Outdated Show resolved Hide resolved
@jefferai
Copy link
Member

jefferai commented Aug 1, 2019

I think there is still a weird case but I'm not sure we need to/should fix it.

Imagine you have a token in ns1/. We, for some reason, are checking the path ns2/foo/bar. This will cause the path that is eventually checked to be ns1/ns2/foo/bar. This is correct from the perspective of AllowOperation, but is potentially incorrect from the perspective of whether SudoPrivilege should be checking a full path or not. So far what gets passed in is a full path.

Possibly the actual correct thing to do is to not do anything at all. Require what comes in to be a full path and validate it against a context with no namespace whatsoever. This will mean AllowOperation will run against a full path -- which is what it's trying to do by attaching the context namespace to the incoming path.

@jefferai jefferai removed this from the 1.2.1 milestone Aug 5, 2019
@jefferai jefferai merged commit 6e1360b into master Aug 5, 2019
@jefferai jefferai deleted the fix_create_token_sudo_nspath branch August 5, 2019 20:04
jefferai pushed a commit that referenced this pull request Aug 5, 2019
@michelvocks @jefferai
Fix create token sudo non-root namespace check (#7224)
226f3e2 
* Fix create token sudo non-root namespace check

* Moved path trimming to SudoPrivilege

* Changed to tokenCtx instead of request ctx

* Use root context for AllowOperation; details in comment
@jefferai jefferai mentioned this pull request Aug 5, 2019
Merged
jefferai added a commit that referenced this pull request Aug 5, 2019
@jefferai
Fix create token sudo non-root namespace check (#7224) (#7260)
87df1c4
@jefferai jefferai added this to the 1.2.1 milestone Oct 19, 2019
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@calvn calvn calvn left review comments

@jefferai jefferai jefferai left review comments

@briankassouf briankassouf Awaiting requested review from briankassouf

Assignees
No one assigned
Labels
backport
Projects
None yet
Milestone
1.2.1
Development

Successfully merging this pull request may close these issues.
3 participants
@michelvocks @jefferai @calvn