New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
403: Permission denied, even as root token trying to lookup a token by accessor #2661
Comments
Here's what the audit log shows
Reading a normal accessor:
|
It looks similar, but I am running a dev mode v0.7.0 vault.
Note that the second token-revoke command successfully removed the token, but the first token-revoke command did not actually revoke the token, despite reporting a success. |
Could you also send along the audit log entries from when the problematic tokens were created? |
Unfortunately I did not have an audit log enabled when I created it. I was merely testing my token creation page. Also, there is only one problematic token. |
Does the token associated with the accessor that isn't dying still work? |
I wanted to try that too, but unfortunately that was probably a UUID because I left the ID parameter empty half the time. Apologies for the lack of reproducible steps 😅 But indeed, if the token is valid and unrevokable (or even worse, reportedly revoked successfully) this may be quite an issue. |
I think it's more likely that the issue was with cleaning up the accessor. Any chance I can get that Vagrant box from you? Then I can investigate directly. |
Possibly. I made a bunch of short TTL tokens. Is there a way to transfer my vagrant snapshot? It's simply a virtual box snapshot right? |
Honestly, I don't know, I've never used Vagrant. But probably, yeah, so if you can just archive the entire vbox machine that would probably work. |
Well restoration of snapshot to the vagrant machine works fine. So worst case you may need to vagrant up before you restore from snapshot. I'll try to get you the snapshot Monday. 😃 |
The snapshot is 2GB and the VM disk itself is another 4GB. I'm not sure how viable a transfer would be. |
If you can Dropbox or Google Drive it or something that's one way to do it. But also, since you have a snapshot, any chance you can try some tidying and see if it helps? We have a couple of additions/fixes to tidy coming for 0.7.1, I can point you to a build with them. |
I don't have enough space on any of my cloud storages at the moment. And since the environment is a dev server, I can't switch it to 0.7.1 anyway. However, running tidy works:
Seems like tidy does clean it up. And 403 is no longer returned:
|
it's good to know it fixes it; we will have to look into how it's happening in the first place. |
@Caiyeon Do you have the command you used to create the tokens? ( |
@vishalnayak Unfortunately, I nuked my vagrant box with |
Closing for now since we're not sure how to repro, but please let us know if you can/do! |
Environment: Vagrant + VirtualBox on Windows 10
OS: debian/jessie64
Vault: v 0.7, -dev mode, pulled Apr 27, last commit:
15842ec2809798baa7cd99a825b9b837dc37b742
Steps to reproduce:
I have no idea. I was making a token-creator page for my vault ui, and I created maybe 20 tokens with short TTLs and a wide variety of nonsensical options. After ~15 minutes, this issue occurred.
Misc:
A vagrant snapshot has been saved, and loading it demonstrates the issue.
However, immediately upon loading the snapshot, I get a 403: bad request instead of permission denied. After awhile, I will get a 403: permission denied.
I can probably resolve this issue by just revoking or running
/tidy
but if this is an actual vault-side issue, I would assume it is of interestThe text was updated successfully, but these errors were encountered: