New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KV2 engine and restrictive policy leads to strange behaviour #389
Comments
|
at first i thought this behaviour might be explained if the secret engine was actually KV1 instead of KV2, but that doesn't seem to be the case.
So I have no idea what's going on here. |
Looks like I was able to replicate things locally with a test case along these lines: https://github.com/hvac/hvac/compare/issue_389?expand=1 Running it through our travis-ci build process now (which should help clarify if the behavior is different in different releases of Vault or not...): https://travis-ci.org/hvac/hvac/builds/489664686 |
Thanks, @jeffwecan. I was worried I was doing another dumb here; I'm still pretty new to Vault. If it's documented wrong in the API docs, I can file the upstream (but obviously the kv.v2 function would still need to be updated as well). Worth noting that the vault client also makes a call to the UI path on a
Which also isn't documented. It seems the vault client and HTTP API (the docs, at the least) diverge a fair bit. |
On that second point, I imagine you're seeing this bit of logic https://github.com/hashicorp/vault/blob/master/command/kv_helpers.go#L43 which we've discussed to some extent within this project under: #383 (comment) |
AH! Indeed, that seems to be it. Thanks! |
following up, forgive me if i'm incorrect in this but based on the travis output, it looks like the failures start with 0.10.4. is this correct? shall i file upstream? |
As my apologies, I should have clarified what I expected the build to indicate. As KV v2 was added in Vault v0.10.0, we have the kv_v2 test class set to be skipped when running integration tests against earlier versions of Vault. I.e., I would expect that we'd see the same issue with Vault v0.10.0 and presumably its always been so. Having said that, I would still agree that an upstream bug report is the reasonable next step to take here. As you alluded to earlier, I imagine it comes down to one of the following two options:
In the first case, we would naturally also want to update hvac's implementation to match. 👍 |
^ Filed upstream. |
Aaaand upstream closed. They're claiming it's a body formatting issue, even though hvac conforms to KV2 docs. |
Hah okay 👌. I'll take a look and aim to get some sort of fix implemented in the next hvac release. |
Thanks! |
@jeffwecan I'm not sure what it means for HVAC and any future work here but it's now very clear that the reporter is writing to a v1 mount, not a v2 mount. |
confirmed, closing. apologies, all. |
I have the following policy:
The following works fine:
vault write secret/data/foo/bar/baz x=1 y=2 z=3
.However, using the same exact token in hvac:
I did a tcpdump (since it was to an HTTP Vault server on localhost), and found that the Vault CLI client does e.g. (real values have been replaced):
BUT the client.secrets.kv.v2.create_or_update_secret call does e.g. this (actual values replaced):
Notable differences are a POST vs. PUT, and the structure of the payload.
For whatever reason, this causes a permission denied error (403) for hvac, but the vault client succeeds.
At a guess, maybe the docs are wrong? As the Vault client does not seem to conform to the docs (but hvac does).
Are you able to replicate?
The text was updated successfully, but these errors were encountered: