Acess does not work

Vault
1

Describe the bug
Access can not work fine , neither KV1 or KV2 style

To Reproduce
Steps to reproduce the behavior:

  1. create user & password in Access, attach police “acl_bijinming"
    image
  2. Create the policy “bijinming” as the following shows
    image
  3. create kv2 secret in test/test path

1642336427(1)

  1. login with new user

1642336781(1)

Expected behavior
secret in path ‘test/test’ could be see, and other secret can not be see.

Environment:

  • Vault Server Version: vault:1.9.0

Vault server configuration file(s):

disable_mlock = true ui = true listener “tcp” { tls_disable = 1 address = “[::]:8200” cluster_address = “[::]:8201” } storage “file” { path = “/vault/data” }

Additional context
when I remove the data and set the access path as “test/test/*”, it does not work fine either!

2

You have mismatching paths. Where is your kv actually mounted? In one it’s test and in one it’s secrets.

Instead of posting screenshots use the CLI to be more clear

3

Also, you’re missing the test/metadata/* path with list and, optionally, read capabilities. This is needed for listing folder contents.

Also, Vault does not support Access-Based-Enumeration - meaning if you have access to list contents of a folder you can see the existence of all items in that folder (but unless explicitly granted the right to read, will not be able to read the content). However, if you only have access to view the contents of a secret (and not access to list the folder) you will not be able to enumerate the contents of the folder but rather you would need to know and provide the full path to see the contents.

Policies can be a bit tricky at first, but continue to experiment to get a better understanding of how they work. KVv2 policies add an additional layer to standard ACLs and you’ll need to account for the additional paths utilized in this engine type.

4

1, login with root token , create a kv in path /test/hello
1642599457(1)

2, get the secret in path /test/hello
image

3, create a user name " mitchellh" acess “acl_bijinming”
image

4 list the access “acl_bijinming”
image

5, login with mitchellh

image
image888×503 65.4 KB

6, get secret from /test/hello

image
image692×223 19.6 KB

5

Thanks , I have added “test/metadata/" in Policies, it works fine now, so the "test/metadata/” and “test/data/*” must be A couple in Policies.