Sentinel policy to not allow usage of “*” in ACL policy.

Avatar
Kunal Mehtani
  • Updated

Introduction:

Organizations may require a policy to restrict vault users from creating ACL policies that grant access to all paths(*). This document outlines the Sentinel logic necessary to implement such restrictions effectively.

 

Prerequisites:

Vault Enterprise license with Sentinel module

Required permissions to write Sentinel policy

 

Important Note:

This article is to demonstrate the fact that sentinel can be used for not allowing "*" based path in ACL policies. If this requires to be implemented in vault environment, necessary sentinel policy has to be developed as per the needs of organisation.

This example may fail eventually if policy syntax varies and does not cover for the scenarios in sentinel code. Some example situation where it will fail :

  • There are additional spaces at the beginning.
  • If the "*" path is placed at middle of the policy file/content.

For implementing conditional checks in Sentinel policies, please refer to the official Sentinel documentation.

 

Steps to create policy:

 1:- Draft the Sentinel Policy using Vi editor or nano. 

import "strings"
precond = rule {
    request.operation in ["create", "update"]
}
path_match = func() {
# Here checking ACL policy if the request contains "*" , if only "*" is there in path, it should not allowed to write policy
if strings.has_prefix(request.data.policy, "path \"*\"" )  {
   return false
}
return true
}
main = rule when precond {
    path_match()
}

2:- Store the Base64 encoded policy to the policy environment variable. 

 POLICY=$(base64 -i path.sentinel)

 3:- Write policy to Vault egp endpoint. 

vault write sys/policies/egp/path-check paths="sys/policies/acl/*" policy="${POLICY}" enforcement_level="hard-mandatory"

 4:- When a user attempts to write an ACL policy that permits access to all paths (path "*"), the write operation will fail.

vault policy write demo30  test.hcl
Error uploading policy: Error making API request.
URL: PUT http://x.x.x.x:8200/v1/sys/policies/acl/demo30

Code: 403. Errors:
* 2 errors occurred:
* egp standard policy "root/path-check" evaluation resulted in denial.
The specific error was:
<nil>

A trace of the execution for policy "root/path-check" is available:

Result: false

Description: <none>

Rule "main" (root/path-check:15:1) = false

Rule "precond" (root/path-check:4:1) = true

* permission denied

      

References:

Write policy using audit logs

Sentinel built-in functions

Articles in this section

See more