Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent behavior in ACL templating when using uppercase roles in AppRole #10944

Open
stefan-zh opened this issue Feb 19, 2021 · 0 comments
Open

Inconsistent behavior in ACL templating when using uppercase roles in AppRole #10944

stefan-zh opened this issue Feb 19, 2021 · 0 comments
Labels
auth/approle bug Used to indicate a potential bug

Comments

@stefan-zh
Copy link
Contributor

Describe the bug
There is an inconsistent behavior when using uppercase role names from AppRole in policies that use ACL templates.

To Reproduce
This script should be sufficient to reproduce the behavior:

vault login root
vault auth enable approle
# we will need the AppRole accessor for the policy permissions below
approle_accessor=$(vault read -format json sys/auth | jq -r '.data["approle/"].accessor')
echo "AppRole Accessor: ${approle_accessor}"

# create a policy that governs access to AppRole endpoints
vault policy write admin-policy - <<EOF
path "auth/approle/role/{{identity.entity.aliases.${approle_accessor}.metadata.role_name}}/role-id" {
  capabilities = ["read"]
}
EOF

# create a role
vault write auth/approle/role/ADMIN_ROLE secret_id_ttl=20m token_ttl=20m policies=admin-policy

# log in for role
role_id=$(vault read -format json auth/approle/role/ADMIN_ROLE/role-id | jq -r .data.role_id)
secret_id=$(vault write -format json -f auth/approle/role/ADMIN_ROLE/secret-id | jq -r .data.secret_id)
token=$(vault write -format json auth/approle/login role_id=$role_id secret_id=$secret_id | jq -r .auth.client_token)
vault login $token

# test policy
vault read auth/approle/role/ADMIN_ROLE/role-id # error
vault read auth/approle/role/admin_role/role-id # OK

Expected behavior
The call to vault read auth/approle/role/ADMIN_ROLE/role-id should be successful.

Environment:

  • Vault Server Version (retrieve with vault status): 1.6.0-dev
  • Vault CLI Version (retrieve with vault version): Vault v1.6.0-dev ('46c64aaffcb7e2c36dd33401200b7f5a26f48868+CHANGES')
  • Server Operating System/Architecture: Linux x86_64 GNU/Linux Ubuntu 18.04 LTS running on Windows 10 Pro WSL2

Vault server configuration file(s): running Vault dev server without configuration

Additional context
I believe the problem is because AppRole lowercases the role names then puts it in the metadata. A workaround is to always lowercase the role name when calling endpoints on Vault that might be governed by ACL policies. I am not sure if there are mechanisms to make the ACL templates case insensitive, for example.
@HridoyRoy HridoyRoy added auth/approle bug Used to indicate a potential bug pod/bridge labels Feb 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth/approle bug Used to indicate a potential bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stefan-zh @HridoyRoy @hsimon-hashicorp