-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault-UI displaying secrets that suppose to be denied by ACL permissions(KV V1/V2) #4335
Comments
The UI is just an API client. It can't display values that the token does not give it access to. This seems like the token being used by the UI is not the one you are expecting (whether due to user error or a UI bug). |
I also am seeing this after upgrading to vault 0.10.0 (public docker image) and having my users (via ldap login) not able to read their secrets via the UI but can just fine via the commandline (also login via ldap). Let me know what information you might need to debug this further. |
I'm also experiencing issues where Vault CLI and Vault UI permissions are not in sync. The most glaring is that Vault UI cannot retrieve creds from aws/creds/role-name without having update permission to that path (in addition to the usual read permission). |
@rocktavious sorry about that! got a PR in to get it updated: docker-library/official-images#4294 |
@meirish I am also facing the same issue where deny policy permission is not working through UI but working from CLI. |
@mohkum 0.10.1 seems to have fixed the problem for us. |
thanks a lot @jpancoast-kenzan |
thanks @jpancoast-kenzan ... issue is resolved for me with 0.10.1 |
I missed closing this when we merged the fix (#4393) - Sorry about that. Going to close now! |
Environment:
Vault Config File:
Running server as -dev
Expected Behavior:
Vault-UI should deny the user access to a specific path configured in the policy that associated to it.
Actual Behavior:
The user can see passwords on the denied path
Steps to Reproduce:
Run vault server as -dev
On each of the path(kv/foo and kv/test) add some secrets
Important Factoids:
A note that I should say is that I was not able to configure ACL so a user won't be able to see all paths under "Secrets" page but specific paths, according to the documentation It didn't work as well (might be another issue - if you agree with me I'll open another issue with full description of how to reproduce)
The text was updated successfully, but these errors were encountered: