vault-ui
vault-ui copied to clipboard
djenriquez
Unable to create/delete a secret unless token has list capabilities on parent node
My token has the following policy attached:
path "secret/some/path/*" {
capabilities = [ "create", "read", "update", "delete", "list"]
}
path "secret/some/path" {
capabilities = [ "create", "read", "update", "delete", "list"]
}
Naturally I can create/edit/delete/view stuff under this prefix with command line. However in the vault-ui the secret page does not provide me with any way to navigate the mount, as I do not have the access to top level "secret" path.
I can paste http://my-vault-ui/secrets/generic/secret/some/path or http://my-vault-ui/secrets/generic/secret/some/path/ in the address bar in the browser and get to edit or see the values.
This is obviously not ideal, I should not need to use address bar for that.
Also I was not able to find a way to create or delete the data (keys and values) under http://my-vault-ui/secrets/generic/secret/some/path with vault-ui. I can view and edit it, but I can neither create nor delete it. It is obviously not a problem with vault CLI.
However in the vault-ui the secret page does not provide me with any way to navigate the mount, as I do not have the access to top level "secret" path.
This is by design. If the policy applied to your token doesn't have permissions to list a particular path then I see no way for vault-ui to present you with a tree. At that point a user would be required to know the exact path in advance and URL becomes the most direct way to encode it.
Also I was not able to find a way to create or delete the data (keys and values) under http://my-vault-ui/secrets/generic/secret/some/path with vault-ui. I can view and edit it, but I can neither create nor delete it. It obviously not a problem with vault CLI.
I am unable to reproduce this issue, I've used the policy that you provided in the issue description and browsed to http://vault-ui/secrets/generic/secret/some/path/ and I'm able to create a new secret, edit it and delete it.
I am unable to reproduce this issue, I've used the policy that you provided in the issue description and browsed to http://vault-ui/secrets/generic/secret/some/path/ and I'm able to create a new secret, edit it and delete it.
@msessa Try to create a secret with vault-ui that corresponds to
vault write secret/some/path hello=world
Can you do that? How?
Ah I see your point now.
It's a bit of a tricky situation as browsing to http://vault-ui/secrets/generic/secret/some/path will instruct vault-ui to look for an existing object at secret/some/path which would return a 404 from vault.
One way we could solve this is by detecting the 404 and at the same time run a capability check to see if the token would be allowed the create operation. If both conditions are met, present the user with a JSON editor to add data to the new object.
At the same time we'd need to integrate a Delete button in the edit secret modal window.
As usual, PRs are welcome, otherwise I'll add this to my TODO list but I can't promise you any ETA
No worries. Thank you for your time ;) I personally do not require any ETA, I just know that you guys appreciate feedback and improvements suggestions, so I'm doing my best to help ;)
@msessa feel free to edit the subject of the issue to reflect what's going on more precisely. If you as a collaborator do not have access to edit the issue title but still would like to change it, please post your suggestion and I'll update it.