Allow empty principals / allow_empty_principals state not visible as expected

[jhrcz-ls]

when i create ssh engine and enable ssh host key signing, there is possibility to allow empty principals (should be allow_empty_principals in api)

this option is configurable via web ui, but in that case, current state is not visible. its always shown as disabled. the only moment when its shown as enabled is directly after submiting settings with this optione enabled. after page reload/relogin/etc and going back, its again gray / disabled.

but its in effect active.

the most annoing part is, that saving the settings wihtout checking this option again (when active at this moment) it effectively disables it.

in the api/cli part, its even more weird.

$ cat d.json 
{
    "algorithm_signer": "default",
    "allow_bare_domains": false,
    "allow_host_certificates": true,
    "allow_subdomains": false,
    "allow_user_certificates": false,
    "allow_user_key_ids": false,
    "allowed_critical_options": "",
    "allowed_domains": "localdomain,localhost",
    "allowed_domains_template": false,
    "allowed_extensions": "",
    "allowed_user_key_lengths": {},
    "allowed_users": "",
    "allowed_users_template": false,
    "default_critical_options": {},
    "default_extensions": {},
    "default_extensions_template": false,
    "default_user": "",
    "default_user_template": false,
    "key_id_format": "",
    "key_type": "ca",
    "max_ttl": 0,
    "not_before_duration": 30,
    "ttl": 0,
    "allow_empty_principals": true
}

$ vault write -format=json ssh/roles/r - < d.json

$ vault read -format=json ssh/roles/r
{
  "request_id": "d706d731-02b6-3859-c2d3-ce64205e96f7",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "algorithm_signer": "default",
    "allow_bare_domains": false,
    "allow_host_certificates": true,
    "allow_subdomains": false,
    "allow_user_certificates": false,
    "allow_user_key_ids": false,
    "allowed_critical_options": "",
    "allowed_domains": "localdomain,localhost",
    "allowed_domains_template": false,
    "allowed_extensions": "",
    "allowed_user_key_lengths": {},
    "allowed_users": "",
    "allowed_users_template": false,
    "default_critical_options": {},
    "default_extensions": {},
    "default_extensions_template": false,
    "default_user": "",
    "default_user_template": false,
    "key_id_format": "",
    "key_type": "ca",
    "max_ttl": 0,
    "not_before_duration": 30,
    "ttl": 0
  },
  "warnings": null,
  "mount_type": "ssh"
}

... as you could see its not present in the output.

i am able to replicate this behaviour with vault running in container in dev mode.

this behaviour is replicated the same way on version 1.17.6 and 1.18.2

[stevendpclark]

Thanks for reporting the issue @jhrcz-ls. It should be resolved in the next round of Vault releases. Addressing the missing field in the read API response resolved the issues in the UI side.