Description
I am using Hashicorp’s Vault ,version 1.7.0, free version.
I would like to allow a certain range of policies that a user can assign/delete to a group. In that way he can add or delete entities user to the group from the UI.
What I have done
Bellow is written into blocks the overall policy file.
{
capabilities = ["list"]
}
#To show the identity endpoint from the UI
path "/identity/*"{
capabilities = ["list" ]
}
#policies that I would like the user to have the ability to #assign to the group.
path "/sys/policies/acl/it_team_leader"{
capabilities = ["read", "update", "list"]
}
path "sys/policies/acl/it_user"{
capabilities = ["read", "update","list"]
}
path "sys/policies/acl/ui_settings"{
capabilities = ["read", "update", "list"]
}
path "sys/policies/acl/personal_storage"{
capabilities = ["read", "update","list"]
}
#Group id that the user have full access
path "/identity/group/id/2c97485a-754f-657a-5a8b-62b08a3ce8cb" {
capabilities = ["sudo","read","update","create","list"]
}
What is the issue
Lets assume that I have an super-privileged policy that provides access to the the whole secret engine.
From the UI I am able to assign to that group the super-priveleged policy and basically allow a restricted user to assign this super policy to the whole group.
When I extended the policy with :
path "sys/policies/acl/**super-priveleged**" {
capabilities = ["deny"]
}
is just restricting the policy to be read from the UI.
Appending the group path with allowed_parameters such us :
capabilities = ["sudo","read","update","create","list"]
denied_parameters = {
"policies" = ["it_user","it_team_leader",etc]
}
I receive a permission denied error(403).
Appending with denied parameters :
path "/identity/group/id/2c97485a-754f-657a-5a8b-62b08a3ce8cb" {
capabilities = ["sudo","read","update","create","list"]
denied_parameters = {
"policies" = ["super-policy"]
}
is not functioning and I am still allowed to assign the super policy.
I also tried wildcards with the same result.
Is it even possible to restrict one/a range of policies that can be assigned from the Vault UI?
Thanks in advance if you made it so far.