Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support token.metadata.<key> in ACL templates #13715

Closed

Conversation

remilapeyre
Copy link
Contributor

We have a Vault Enterprise client that is using Sentinel for two
applications. What they need to do with Sentinel is quite simple and
could be done much more easily by using ACL templates if they supported
injecting a token's metadata. That would be more readable than a large
Sentinel script and make it much easier to onboard operators that need
to make changes to those applications.

We have a Vault Enterprise client that is using Sentinel for two
applications. What they need to do with Sentinel is quite simple and
could be done much more easily by using ACL templates if they supported
injecting a token's metadata. That would be more readable than a large
Sentinel script and make it much easier to onboard operators that need
to make changes to those applications.
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 19, 2022 21:29 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 19, 2022 21:31 Inactive
@ncabatoff
Copy link
Collaborator

Hi Remi,

We've had to say "no" to template-token-metadata requests many times I'm afraid, most recently in #10682. Excerpted:

We view this change as dangerous, since a user can create child tokens with whatever arbitrary metadata they like. This means policy templating using token metadata is vulnerable to any attacker who's aware of what policies are in use. I expect that you could come up with safeguards in your environment to protect against this (e.g. not granting access to the create token endpoints), but we as vault devs have to be vigilant against introducing features that allow for insecure by default behaviour.

Can you use identity metadata instead for your use case?

@remilapeyre
Copy link
Contributor Author

We view this change as dangerous, since a user can create child tokens with whatever arbitrary metadata they like.

Wow, indeed I completely missed this. I suppose implementing this feature like this is a no go then.

Can you use identity metadata instead for your use case?

In our case we can't use entities because of the way Vault Enterprise is priced, doing this would add thousands of entities.

Perhaps their could be some way to do this by adding a new field to TokenEntry that would not suffer the same issue and be inherited when creating a child token, let's call it attributes as an example.

Just like you need to be root to set orphan on auth/token/create, you would need to be root to set this new attribute.
This new attribute would always be copied verbatim to child tokens, only root could overwrite it.

In auth/token/roles/:role_name there could be a new allow_custom_attributes that would make it possible for a non-root application to generate tokens with the data it needs.

This could make this feature work, root would be able to create tokens with whatever attributes it wants, normal users would not be able to add or remove entries in attributes by creating child token as it would always be copied and applications needing special rights to generate token with custom attributes could do it by using a token role.

It seems to me that this could be secure, after all an application that can make changes to auth/token/roles/:role_name can already get full access to Vault by choosing the permission they get and generate root tokens.

If you think that it's worth it to try something like that I can propose a better patch to explore things out and fix the shortcomings of this one, otherwise we can close this PR.

@UXabre
Copy link

UXabre commented Nov 16, 2022

Sorry for replying on an older PR but I was browsing to see if others came up with new insights in the subject.

I'll go ahead and link this topic as I think it offers a similar solution as what you describe. TL;DR just as you propose, we need to "prove" the data to be authorative and not "arbitrary".

@mladlow
Copy link
Collaborator

mladlow commented Aug 23, 2023

Hey @remilapeyre ,

We discussed this a little more internally. Identity metadata should allow users to template ACL policies while using a unique identity for each application, service, or user that needs to authenticate to a cluster. At this time we don't want to add a new mechanism for ACL templating.

@mladlow mladlow closed this Aug 23, 2023
@celesteking
Copy link

Wow, indeed I completely missed this. I suppose implementing this feature like this is a no go then.

It's not your fault, it's Hashicorp's and they don't want to admit the mistake.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants