Issues with managing policy updates for userpass users

sdeoras · March 16, 2020, 6:26pm

Hi Folks,

I am running into an issue when trying to manage policy updates for userpass users. The scenario is described, in details, in links below, but the high level intent is as follows:

Admin needs to be able to update policies attached to users
Admin can only grant specific policies

In order to satisfy item 2, the admin has following policy:

gist.github.com

https://gist.github.com/sdeoras/bbe937028cf8e3778747d506da69a91d

vault-admin-policy.hcl

path "auth/userpass/users/+" {
  capabilities = ["create", "read", "delete", "update", "list"]
  allowed_parameters = {
    "token-policies" = ["default", "policies/*"]
    "policies" = ["default", "policies/*"]
    "*" = []
  }
}

path "auth/userpass/users/+/policies" {

This file has been truncated. show original

Now the issue that I am running into is that the admin seems to be able to assign a policy not allowed by prefixing it with an allowed policy. Is this because of '*" pattern match in admin policy in link above?

Pl. see sample steps to repro the issue in link below:

gist.github.com

https://gist.github.com/sdeoras/f83ba9a27e7be50e578ddc28b5ca4457

vault-policy.sh

#!/usr/bin/env bash

#ROOT_TOKEN="s.OoBBV5lGoHVFBTZGSsTxCntu"
#vault login $ROOT_TOKEN

# run as root
vault auth enable userpass
vault policy write admin policy.hcl

# create two users, make alice as admin

This file has been truncated. show original

I would like to get some recommendations on best practices on managing policy updates on users and/or how to fix this issue.
Using vault 1.3.3