Vault-UI displaying secrets that suppose to be denied by ACL permissions(KV V1/V2)

[Zvikan]

Environment:

• Vault Version: 0.10
• Operating System/Architecture: macOs 10.13.3

Vault Config File:

Running server as -dev

Expected Behavior:

Vault-UI should deny the user access to a specific path configured in the policy that associated to it.

Actual Behavior:

The user can see passwords on the denied path

Steps to Reproduce:

Run vault server as -dev

1. Create the following policy in Vault-UI:

  capabilities = ["create", "read", "update", "delete", "list"]
}
path "kv/foo" {
  capabilities = ["deny"]
}
path "sys/mounts"{
 capabilities = ["list", "read"]
  }

2. Create a new KV (V1) secret engine in Vault-UI (with the name kv).
3. Create two different paths under the "kv" - "foo" and "test".
   On each of the path(kv/foo and kv/test) add some secrets
4. Create user/password with the policy in step 1 via Vault CLI and perform login with the new user/password via Vault CLI
5. Test reading secrets(via Vault CLI) from kv/test (you'll be able) and from kv/foo (you'll get denied message)
6. Log in with the user/pass through Vault-UI -> go to "Secrets" and then to "kv" , try to enter "foo" which should be forbidden with proper "access denied" message but you'll be able to see the secrets.

Important Factoids:

A note that I should say is that I was not able to configure ACL so a user won't be able to see all paths under "Secrets" page but specific paths, according to the documentation It didn't work as well (might be another issue - if you agree with me I'll open another issue with full description of how to reproduce)

[jefferai]

The UI is just an API client. It can't display values that the token does not give it access to. This seems like the token being used by the UI is not the one you are expecting (whether due to user error or a UI bug).

[rocktavious]

I also am seeing this after upgrading to vault 0.10.0 (public docker image) and having my users (via ldap login) not able to read their secrets via the UI but can just fine via the commandline (also login via ldap).

Let me know what information you might need to debug this further.

[fraajad]

I'm also experiencing issues where Vault CLI and Vault UI permissions are not in sync. The most glaring is that Vault UI cannot retrieve creds from aws/creds/role-name without having update permission to that path (in addition to the usual read permission).

[rocktavious]

@jefferai or @meirish can we get the public docker image updated to 0.10.1 - i'd like to test out the fix since the PR is merged an vault 0.10.1 is released bu the public docker image is not updated :(

[meirish]

@rocktavious sorry about that! got a PR in to get it updated: docker-library/official-images#4294

[mohkum]

@meirish I am also facing the same issue where deny policy permission is not working through UI but working from CLI.
Do we have any solution to this issue?

[jpancoast-kenzan]

@mohkum 0.10.1 seems to have fixed the problem for us.

[mohkum]

thanks a lot @jpancoast-kenzan
I will try 0.10.1

[mohkum]

thanks @jpancoast-kenzan ... issue is resolved for me with 0.10.1

[meirish]

I missed closing this when we merged the fix (#4393) - Sorry about that. Going to close now!