Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Entity Aliases with Same Name and Same Mount #11277

Closed
mdgreenfield opened this issue Apr 5, 2021 · 2 comments · Fixed by #12473
Closed

Multiple Entity Aliases with Same Name and Same Mount #11277

mdgreenfield opened this issue Apr 5, 2021 · 2 comments · Fixed by #12473
Labels
bug Used to indicate a potential bug core/identity

Comments

@mdgreenfield
Copy link
Contributor

Describe the bug
It is possible for a single entity to end up with multiple entity aliases of the same name and mount. However, this is not allowed when trying to create an entity alias. The following error message is returned if aliases with the same name for the same mount are attempted:

Error writing data to identity/entity-alias: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/identity/entity-alias
Code: 500. Errors:

* 1 error occurred:
        * duplicate identity name

To Reproduce
Steps to reproduce the behavior:

  1. Start vault server -dev -dev-root-token-id=root in a separate terminal.
  2. Run vault auth enable userpass
  3. Run vault write auth/userpass/users/bsmith password="training" policies="team-qa"
  4. Run vault login -method=userpass username=bsmith password=training
  5. Run accessor=$(vault auth list -format=json | jq -r '.["userpass/"].accessor')
  6. Run entity_id=$(vault write -format=json identity/entity name="bob-smith" policies="base" | jq -r '.data.id')
  7. Run alias=$(vault write -format=json identity/entity-alias name="bob" canonical_id=$entity_id mount_accessor=$accessor)
  8. Run vault write identity/entity-alias/id/$(echo $alias | jq -r '.data.id') name=bsmith // Triggers a merge. Renames the implicitly created entity-alias name
  9. Observe warning - identity: alias is already tied to a different entity; these entities are being merged:
  10. Observe entity with duplicate aliases - vault read -format=json identity/entity/id/$(echo $alias | jq -r '.data.canonical_id')
  11. Observe the merged entity is returned for the previous name bob when calling lookup - vault write -format=json identity/lookup/entity alias_name=bob alias_mount_accessor=$accessor

Expected behavior

  • Step 8 above should be rejected with an error about a duplicate identity name.
  • Identity lookup by alias using previous alias name should return no results.

Environment:

  • Vault Server Version (retrieve with vault status): 1.7.0
  • Vault CLI Version (retrieve with vault version): Vault v1.7.0 (4e222b8)
@mdgreenfield
Copy link
Contributor Author

mdgreenfield@1c598aa is a test case I put together which exercises the above.

@briankassouf briankassouf added core/identity bug Used to indicate a potential bug labels Apr 7, 2021
@reddy9694
Copy link

reddy9694 commented Jun 18, 2021
edited

+1

I was trying a approle login, I don't see the error duplicate identity name in v1.5.4 even after having duplicate aliases, but it does complain in 1.7.0

@ncabatoff ncabatoff mentioned this issue Sep 1, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug core/identity
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fail alias rename if the resulting (name,accessor) exists already hashicorp/vault
3 participants
@mdgreenfield @briankassouf @reddy9694