MFA with Namespaces

Avatar
Andrew McDonald
  • Updated

Overview

When MFA is configured, it is enforced with the Identity secrets engine. As it is neither a group or an entity, that configuration isn't bound to the namespace that it is configured in meaning that it can apply to child name-spaces.

 

As an example, lets consider that a the userpass auth method has been configured in the root and the child namespace testing and the following enforcement rule has been used.

vault write identity/mfa/login-enforcement/enforce-mfa mfa_method_ids=5080230a-2223-debe-fb6e-7621ec03f459 auth_method_types=userpass

As the auth_method_types option has been used to identify the auth method, and as the enforcement is not bound to a namespace then all auth methods of the userpass type in all child namespaces will have the MFA enforcement applied.

To work around the problem above you will need to explicitly specify an authmethod's accessor or list there of via the auth_method_accessors option as per the following example:

Setup the identity method

$  vault write identity/mfa/method/totp issuer=vault period=30 key_size=30 algorithm=SHA256 digits=6 max_validation_attempts=5
Key          Value
---          -----
method_id    1dacd626-ddbb-9001-0c4a-fa1738a9e0d0

Get the auth method accessors

$ vault auth list -detailed
Path         Plugin      Accessor                  Default TTL    Max TTL    Token Type         Replication    Seal Wrap    External Entropy Access    Options    Description                UUID
----         ------      --------                  -----------    -------    ----------         -----------    ---------    -----------------------    -------    -----------                ----
token/       token       auth_token_1022db8e       system         system     default-service    replicated     false        false                      map[]      token based credentials    04bea032-51f8-c734-ea42-784e51c84287
userpass/    userpass    auth_userpass_3c4be005    system         system     default-service    replicated     false        false                      map[]      n/a                        0584e8a4-b5a6-66db-7a2b-ef0fc658ee3e

Write the enforcement rule

$ vault write identity/mfa/login-enforcement/enforce-mfa mfa_method_ids=1dacd626-ddbb-9001-0c4a-fa1738a9e0d0 auth_method_accessors=auth_userpass_3c4be005
Success! Data written to: identity/mfa/login-enforcement/enforce-mfa

Note: auth_method_accessors can also accept multiple values if you want to enforce multiple auth methods in the one namespace i.e.

curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"auth_method_accessors":["auth_userpass_a32ab964","auth_userpass_3c4be005"],"mfa_method_ids":"1dacd626-ddbb-9001-0c4a-fa1738a9e0d0"}' https://localhost:8200/v1/identity/mfa/login-enforcement/enforce-mfa

 

Additional Information: 

Articles in this section

See more

Related articles