ACL plus notation does not work in path

igor-nikiforov · June 7, 2022, 9:21am

Hello,

I have kv v1 with foo/ path and want to create policy for deny specific secrets inside foo/+/, in my case foo/+/bitbucket*.

But for some reason this policy below does not work. I’m still able to read any secrets in foo/+/bitbucket* with bitbucket* prefix.

path "foo/+" {
  capabilities = ["list"]
}

path "foo/bar/*" {
  capabilities = ["list", "read", "create", "update", "patch", "delete"]
}

path "foo/+/bitbucket*" {
  capabilities = ["deny"]
}

It working only when I explicitly specificy full path like this:

path "foo/bar/bitbucket*" {
  capabilities = ["deny"]
}

Why + does not work in my case?

Thanks.

maxb · June 7, 2022, 9:47am

Needs to be changed to:

path "foo/+/" {
  capabilities = ["list"]
}

The handling of trailing slashes with list operations and + wildcards is inconsistent with the same if + wildcards are not used, unfortunately.

igor-nikiforov · June 7, 2022, 10:12am

Sorry but this does not allow to list any path under foo/. Moreover it does not solve issue with:

path "foo/bar/bitbucket*" {
  capabilities = ["deny"]
}

igor-nikiforov · June 7, 2022, 10:28am

Seems like this kind of ACL just don’t work with kv v1. I checked same patterns with kv v2 and it works perfectly.