KV v2 list policy to hide all subpaths except for one

lyndsey-ferguson · November 27, 2020, 9:27pm

I’m experimenting with Vault’s policies and I want to create one that allows a user logging in with Userpass to use the Vault webpage GUI to navigate to her secrets at ‘secrets/data/users/maggie’ without seeing the other users that exist at ‘secrets/data/users/bob’.

I have been able to get to the point that she can see all the users, but she cannot access their data. What I would like to get to is where she can only see her user.

path "secret/data/users/maggie/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "secret/metadata" {
  capabilities = ["list"]
}

path "secret/metadata/users" {
  capabilities = ["list"]
}

path "secret/metadata/users/maggie" {
  capabilities = ["list"]
}

If I change the ACLs to:

path "secret/data/users/maggie/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "secret/metadata" {
  capabilities = ["list"]
}

// removing 'secret/metadata/users'

path "secret/metadata/users/maggie" {
  capabilities = ["list"]
}

She cannot see herself. She can change the URL to include her name, but I’d like to for her to be able to use the GUI.

Any tips? This is one of the areas I’m weak in with respect to Vault.
(OR, is this an example of this Issue https://github.com/hashicorp/vault/issues/5362 ?)

jlj7 · November 27, 2020, 10:17pm

I didn’t know about that, but, yeah, I think it might be.

Does collapsing some of the paths with + – as per this post – help at all? That is:

path "secret/+/users/maggie/*" {
  capabilities = ["create"...]
} ...

Or is that just going to end in Not Authorized as well, when trying to browse secret/?

It’s a weak area for me as well, and I’m an Associate.

lyndsey-ferguson · November 27, 2020, 10:22pm

This is what I tried from what I understood of your suggestion:

path "secret/+/users/maggie/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "secret/metadata" {
  capabilities = ["list"]
}

path "secret/metadata/users/maggie/*" {
  capabilities = ["list"]
}

And, yes, it resulted in the Not Authorized.

jlj7 · November 27, 2020, 10:30pm

That bit is redundant, as + is a wildcard for one ‘level’ – data and metadata, in this case – but none of that matters when there’s this permissions problem higher up.

Don’t know what to say, except I’ve heard it on good authority that the developers are really concentrating on the UI these days; it surprised me to see such a fundamental issue still open from 2018.

lyndsey-ferguson · November 27, 2020, 10:45pm

Right, I just left it there. I have my fingers crossed that this is something the devs can solve soon. I’m a big fan of Hashicorp and their tools.