vault icon indicating copy to clipboard operation
vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

vault namespaces api syntax not consistent for HCP in Azure

Open byunru opened this issue 2 years ago • 6 comments

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior: curl -H "X-Vault-Token:${env:VAULT_TOKEN}" -X List "${env:VAULT_ADDR}/v1/sys/namespaces" returns {"errors":[]}

Expected behavior curl -H "X-Vault-Token:${env:VAULT_TOKEN}" -H "X-Vault-Namespace: /" -X List "${env:VAULT_ADDR}/v1/sys/namespaces"
should return json, but get nothing

Note I tested this syntax does return value curl -H "X-Vault-Token:${env:VAULT_TOKEN}" -H "X-Vault-Namespace: admin" -X GET "${env:VAULT_ADDR}/v1/sys/namespaces?list=true"

Environment:

  • Vault CLI Version (retrieve with vault version): Vault v1.12.2
  • Vault server is HCP Azure (beta)

byunru avatar Dec 14 '22 20:12 byunru

Could you add the -i option to your curl commands and re-run them? I think being able to see the response code and header information might make this easier to understand.

maxb avatar Dec 15 '22 09:12 maxb

curl -H "X-Vault-Token:${env:VAULT_TOKEN}" -H "X-Vault-Namespace: /" -X List "${env:VAULT_ADDR}/v1/sys/namespaces" -i

HTTP/1.1 301 Moved Permanently Cache-Control: no-store Location: /v1/sys/namespaces Strict-Transport-Security: max-age=31536000; includeSubDomains X-Vault-Namespace: / Date: Thu, 15 Dec 2022 23:23:01 GMT Content-Length: 0

curl -H "X-Vault-Token:${env:VAULT_TOKEN}" -X List "${env:VAULT_ADDR}/v1/sys/namespaces" -i

HTTP/1.1 405 Method Not Allowed Cache-Control: no-store Content-Type: application/json Strict-Transport-Security: max-age=31536000; includeSubDomains Date: Thu, 15 Dec 2022 23:23:30 GMT Content-Length: 14 {"errors":[]}

curl -H "X-Vault-Token:${env:VAULT_TOKEN}" -H "X-Vault-Namespace: /" "${env:VAULT_ADDR}/v1/sys/namespaces" -i

HTTP/1.1 301 Moved Permanently Cache-Control: no-store Content-Type: text/html; charset=utf-8 Location: /v1/sys/namespaces Strict-Transport-Security: max-age=31536000; includeSubDomains X-Vault-Namespace: / Date: Thu, 15 Dec 2022 23:23:46 GMT Content-Length: 53

Moved Permanently.

curl -H "X-Vault-Token:${env:VAULT_TOKEN}" -H "X-Vault-Namespace: admin" -X GET "${env:VAULT_ADDR}/v1/sys/namespaces?list=true" -i

HTTP/1.1 200 OK Cache-Control: no-store Content-Type: application/json Strict-Transport-Security: max-age=31536000; includeSubDomains X-Vault-Namespace: admin Date: Thu, 15 Dec 2022 23:24:43 GMT Content-Length: 251

{"request_id":"c364efde-ec95-9147-a28a-b837377f5fd4","lease_id":"","renewable":false,"lease_duration":0,"data":{"key_info":{"ns1/":{"custom_metadata":{},"id":"6iAmj","path":"admin/ns1/"}},"keys":["ns1/"]},"wrap_info":null,"warnings":null,"auth":null}

byunru avatar Dec 15 '22 23:12 byunru

If you're using the admin token, you will not be able to access anything within the root namespace within HCP Vault. This is why the admin namespace commands work, but not the root namespace commands. Please let me know if you have more questions.

heatherezell avatar Dec 19 '22 20:12 heatherezell

https://developer.hashicorp.com/vault/tutorials/cloud-ops/hcp-vault-namespace-considerations#hcp-vault-admin-namespace

heatherezell avatar Dec 19 '22 20:12 heatherezell

I was curious what was going on here, so I repeated these curl commands against a test non-HCP Vault instance. The same behaviours resulted, so it's not a HCP-specific issue.

https://www.rfc-editor.org/rfc/rfc9110.html#name-overview defines HTTP methods as case-sensitive, so Vault is justified in returning 405 Method Not Allowed, when a List method is attempted (should be LIST).

It is not ideal that Vault returns a 301 Moved Permanently, to the same URL as was requested, when the X-Vault-Namespace header contains more slash characters than it likes - this behaviour is likely a side effect of how the X-Vault-Namespace header value gets pasted into the effective request URL, and then caught by the Go HTTP server's default behaviour of redirecting to remove excess slash characters. In practice it is easy enough to avoid this trap, by not sending the X-Vault-Namespace: / header, which is never a valid value for that header.

maxb avatar Dec 20 '22 09:12 maxb

I figured out the correct syntax for curl: curl -H "X-Vault-Token:${env:VAULT_TOKEN}" -H "X-Vault-Namespace: admin" -X LIST "${env:VAULT_ADDR}/v1/sys/namespaces"

Would be nice if the API provides an option of output all nested namespaces with one call

Thanks @hsimon-hashicorp & @mpalmi

byunru avatar Dec 21 '22 00:12 byunru