Allow globbing dis/allowed_policies in token roles (with caveat) #5815
Conversation
* Add strutil functions to support glob comparisons and removals * Add logic to token grants to parse allowed_policies and disallowed_policies as potential globs * Also, filter out globs when granting default policies to a token
|
Yeah it's unfortunate that policies allow basically any character but backwards compat makes things difficult. But it's a broad brush so that people can use policy names in e.g. native languages. One way around it would be to add specific options for allowed_globbed_policies. Or, a flag on the role to control it. Another way might be to simply stop allowing * in policy names. It seems reasonable, but we'd have to figure out the upgrade story. |
|
|
|
Was there anything blocking this from being merged if it was updated to have a allowed_globbed_policies flag on the role to enable the new functionality? I've ran into this using Vault with Nomad and this PR seems like it would suit my requirements nicely. Happy to fork the fork and implement the allowed_globbed_policies on top of this if @daveadams doesn't have the time. |
|
@nvx, I can't speak for Hashicorp, but I would definitely still love to have this functionality. We figured out a workaround but it depends on a very specific Vault setup (specifically: Vault must use the Consul KV backend, which we then set a watch on the policy/nomad prefix, and use that to trigger a script which can update the policy list on the nomad master role when the list of nomad-prefixed policies is updated--this all runs in Nomad, of course! 😆 ), and having a static config instead of a relatively fragile triggered update would be way better. So if you are up for adding the necessary flags, feel free to make your own fork here, because alas I don't have the time to dig back into this anytime soon. |
|
A fork of this PR that implements the requested changes has been merged in #7277, hence closing out this PR. |
This patch will allow for using
*in token roleallowed_policiesanddisallowed_policiesattributes to meet the use case described in #3756. For example, I'd like to create a role to allow nomad to create tokens for jobs, but rather than maintaining a long list of allowed policies, I would like to just match against a prefix, egnomad-job-*.HOWEVER, while I was writing the tests I discovered a rather large caveat to the very idea of this patch: Currently
*is a legal character in policy names in Vault. So it's possible to have a policy named literallynomad-job-*or*hello*etc.Since it's possible, I assume such policies do exist. And so, I don't think this patch is safe to merge as-is. But since I did the work, I'm going to go ahead and submit it as an artifact.