Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vault list should only show paths if user (token) has access to a secret in that path #5362

Open
drewmullen opened this issue Sep 19, 2018 · 3 comments

Comments

@drewmullen
Copy link

@drewmullen drewmullen commented Sep 19, 2018

I have a hashi ticket opened with this information: https://support.hashicorp.com/hc/en-us/requests/10584 I tried to adapt the ticket info here so please let me know if something is unclear

Is your feature request related to a problem? Please describe.
Currently, for our users to be able to navigate the vault GUI, we need to apply path "secret/*" { capabilities = ["list"] } to that user. Without it, they receive an error after they click into the secret engine (see pic). However, when we grant that permission, the user can then list ALL secrets. From a user stand point, this is confusing because they can list every secret in our vault but cannot access the actual secret.

vault_secret_list_error

Describe the solution you'd like
it would be great for our users to be able to list (view in the gui) only secret paths that they have access to and not see secret paths if they dont have access.

Describe alternatives you've considered
Cant think of any.. probably the current solution is the only other alternative: grant secret/* list

Explain any additional use-cases
We're using 0.11 enterprise preimum + hsm with a kv2 secret engine. The guide ive been following is: https://www.vaultproject.io/docs/secrets/kv/kv-v2.html#acl-rules and https://support.hashicorp.com/hc/en-us/articles/360000953148-Vault-UI-Secrets-Navigation

In the example below, ive also tried in the CLI with the same results:

  1. the policy we've applied to the user
    Taf policy
path "secret/metadata/taf/*" { capabilities = ["list", "read"] }
path "secret/data/taf/*" { capabilities = ["list", "read"] }
  1. a secret exists at the end of that path
$ vault kv get secret/taf/test 
====== Metadata ====== 
Key Value 
--- ----- 
created_time 2018-09-12T13:25:57.871481033Z 
deletion_time n/a 
destroyed false 
version 1

====== Data ====== 
Key Value 
--- ----- 
test_key value
  1. can list the secret at the path the policy provides
$ vault kv list secret/taf/ 
Keys 
---- 
taf/ 
test
  1. we can not list at the root secret level <-- as i understand, this is what the GUI does when you click through past the secret engine
$ vault kv list secret/ 
Error listing secret/metadata: Error making API request.

URL: GET https://<ip>:8200/v1/secret/metadata?list=true 
Code: 403. Errors:

* 1 error occurred:

* permission denied
@servergeeks

This comment has been minimized.

Copy link

@servergeeks servergeeks commented Sep 20, 2018

+1

@meirish meirish added the ui label Oct 19, 2018
@SanghmitraJohri

This comment has been minimized.

Copy link

@SanghmitraJohri SanghmitraJohri commented Feb 13, 2019

I am also facing the same issue. Any update on this?

@catsby catsby added the bug label Nov 11, 2019
@mfuxi

This comment has been minimized.

Copy link

@mfuxi mfuxi commented Nov 15, 2019

I'm facing the same issue as well, a workaround for this issue is to supply manually the secret path in the URL, like this:
secret/list/foo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.