Templated ACL policies using LDAP Groups

Hi there,

Recently, I worked on implementing something called “Templated ACL policies”. The goal of this implementation was to create a “KV Engine” with a specific path: “/user_secrets/{LDAP_USER}/priv”. This allows a user to access their own secrets in a dynamic path that contains his/her username.

The policy applied was:

path /user_secrets/data/{{identity.entity.aliases.auth_ldap_62a0e103.metadata.name}}/priv/*"
{
  capabilities = ["read", "create", "list", "delete", "update"]
}

For example: An {LDAP_USER} logged as johndoe, he belongs to groups=[“admin”, “devops”].

johndoe can [“read”, “create”, “list”, “delete”, “update”] in the path “/user_secrets/data/johndoe/priv/*”.

I need to do the same but with his groups in another KV Engine with path “/groups_secrets/data/{LDAP_GROUP}/priv/*”:

For example: That johndoe can read or list of the path:
“/groups_secrets/data/devops/priv/*”

How Can I do this?

In ACL Policy Path Templating, an option with groups is not specified.

Thanks in advance.

I looked into this in depth myself too, at my former organization.

It is not possible.

The reason it is not possible comes in two parts:

1. There is no ACL policy path template expression that expands to the list of group names a user is a member of

2. Even if someone wanted to make a change to the Vault code to introduce such a feature, they would first have to deal with the challenge, that users are generally in multiple groups, but the current ACL policy path templating expansion, cannot expand in such a way as to cause one path expression to generate multiple resulting paths.

Unfortunately, the practical answer with the Vault of today, is to accept that you’ll need automation external to Vault that builds and uploads dynamically generated policies as the list of groups which need to store data changes.

Hi maxb!!!
I suspected the same and you confirmed it.

Thanks a lot for your anwser

There is no direct way, but there is an indirect way group/aliases.

I cannot find it right now - or the example was changed to Github:

You create a group under identity/group that is external, whose name matches the LDAP group. You then create an identity/group-alias to which you assign policies.

On the LDAP login - and you need the right group search, if the user belongs to the EXTERNAL group, they will get the policies of the group-alias.

A few key items - There is a one to one mapping between LDAP Group and Alias Group, this also works for multiple groups, but be conscious that policy collisions work on least privilege and take some getting used to.

( late to the answer - I bumped into this via an unrelated google search )

Hello @alain I created identity groups, linked them to group aliases and after a LDAP login the users successfully receive the policy which belongs to the identity group. But what should I put into this policy? Obviously we do not want to create a separate policy for each group identity, which are all identical except for the path “/user_secrets/data//priv/*”.

Hello,

you are correct, there is an easier way - policy templating:

I have a small medium article that touches on it:

Bassically, it becomes a metadata of the ldap group alias or identity alias. Similar to :

vault policy write user_secrets - <<EOF
path "secret/data/{{identity.entity.aliases.${MOUNT_ACCESSOR}.name}}/*" {
  capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
EOF

But it depends on how you did your ldap.

Hello, thanks but while I can see how this works for identity.entity templates as used in your example, ACL policy path templating | Vault | HashiCorp Developer does not seem to list a comparable template expression for groups. All identity.groups. template expressions require me to put in a specific group id, which would result in a template that works only for exactly this group, while what we want is a template that works for any group.

Basically it is what maxb wrote: “There is no ACL policy path template expression that expands to the list of group names a user is a member of”