Vault Control Group Authorisations Failing across Namespaces

Avatar
Laura Buckley
  • Updated

Introduction

Control Groups add additional authorization elements to Vault ACL policies so that additional authorization requirements need to be met before satisfying a request.

When Control Groups have been specified in an ACL policy, and are required for a request, a limited-duration response wrapping token is returned to the user making the request instead of the requested data. The accessor of the response wrapping token must be provided to the authorizers, as specified in the Control Group policy.  Once all authorizations are satisfied, the wrapping token can be used to unwrap and process the original request.


Problem

When making use of Control Groups in a Vault environment configured with Namespaces, the authorization process may fail.  If the authorization process is done using the CLI, the approved key value remains as false.

$ vault write sys/control-group/request accessor=$WRAPPING_ACCESSOR
Key Value
--- -----
approved false
authorizations <nil>
request_entity map[id:eb8e6112-94f9-xxxx-xxxx-xxxxx name:entity_4axxxxx]
request_path kv/foo

If the authorization process is done using the GUI, it is falsely reported that the authorization was successful when indeed it was not.


Prerequisites

  • Vault Enterprise Plus License
  • Vault Enterprise 1.8.0+ent or newer


Cause

An example of a typical ACL Policy that has Control Groups defined:

path "namespace/kv/*" {
  capabilities = ["read"]
  control_group = {
    factor "admin-controlled" {
       identity {
           group_names = ["admin-group"]
           approvals = 1
    }   
   }
  }
}
With the above Control Group ACL policy the authorization process will fail as described in the Problem section.  The underlying cause for this is due to the fact that Group Names are not unique across Namespaces. 

Overview of possible solutions

Solution:

Identify the id of the group you wish to use as a Control Group in an ACL Policy.

$ vault read identity/group/name/admin-group
Key Value
--- -----
alias map[]
creation_time 2023-06-05T10:33:49.237617084Z
id 3baffe5b-6136-1d67-6ab2-d9b7b93axxxx
last_update_time 2023-06-05T10:39:34.039805117Z
member_entity_ids [09f793b6-1b8b-b1b0-51af-9140cxxxx]
member_group_ids <nil>
metadata <nil>
modify_index 12
name admin-group
namespace_id root
parent_group_ids <nil>
policies [approver]
type internal

 

Edit the ACL Policy and instead of using group_names , use group_ids

path "namespace/kv/*" {
  capabilities = ["read"]
  control_group = {
    factor "admin-controlled" {
      identity {
        group_ids = ["3baffe5b-6136-1d67-6ab2-d9b7b93axxxx"]
        approvals = 1
    } 
   }
  }
}

 

Outcome

The authorization process will now be completed successfully.

Additional Information

 

 

Articles in this section

Related articles