Skip to content
This repository has been archived by the owner on Apr 4, 2023. It is now read-only.

Group Mapping Module not supporting multiple admin groups #15

Closed
ralfrebsamen opened this issue Aug 26, 2022 · 2 comments · Fixed by #17
Closed

Group Mapping Module not supporting multiple admin groups #15

ralfrebsamen opened this issue Aug 26, 2022 · 2 comments · Fixed by #17
Assignees
@in0rdr
Labels
bug Something isn't working

Comments

@ralfrebsamen
Copy link

ralfrebsamen commented Aug 26, 2022
edited
Loading

vault-playground/docker/terraform/groups/main.tf

Line 19 in f28848d

# For each Admin group, create internal group inside the customer namespace

Hey @in0rdr

Unfortunately this is not going to work: If you put another group into groups.yaml with access/admin to the same namespace like testgroup2

---

groups:
  testgroup:
    namespaces:
      tenant: {}
      tenant2: {}
      tenant3: {}
    metadata:
      owner: foo@bar.com
      cost_center: FooBar
  testgroup2:
    namespaces:
      tenant: {}
    metadata:
      owner: foo2@bar.com

it will break with ... reason=group already exists with path .... I wonder if you can fix this or if you are forced to wait for this feature to get implemented: hashicorp/terraform-provider-vault#1371
@in0rdr
Copy link
Contributor

in0rdr commented Aug 26, 2022

Yes, I can confirm that behavior. This code here is not built to handle these cases. It only supports 1:1 mapping of AD groups to Vault namespaces.

An external mapping with a "foreign key" is needed to add support for such cases.

However, it might be easier to control the authorization to multiple namespaces by placing the users in the respective groups on the identity provider or identity management (IDM) system that is attached to Vault?

This has the additional benefit that one can see directly which user is actually authorized on which namespace.

Furthermore, I would not suggest to "reuse" existing AD groups in the IDM system for Vault authorization purposes, but create a new group for every Vault authorization purpose and deliberately add the users to these new groups.

@in0rdr in0rdr linked a pull request Aug 26, 2022 that will close this issue
docs: add multiple group limitation #16
Closed
This was referenced Aug 26, 2022
Closed
Merged
@in0rdr
Copy link
Contributor

in0rdr commented Aug 26, 2022

mh, I'm a bit confused because I work with tons of code bases, each having a different purpose.

Could it be, that the only issue here is that the internal group is not unique inside the namespace?

module.groups["testgroup2"].vault_identity_group_alias.group_alias: Creation complete after 0s [id=3da9bdda-4136-b1e3-8757-6f71c9c0225c]
╷
│ Error: failed to create identity group "tenant_admin", reason=group already exists with path="/identity/group/name/tenant_admin", id="69cf3c0d-b965-2a3f-67ea-0ef186f03b06"
│ 
│   with module.groups["testgroup2"].vault_identity_group.internal_group["tenant"],
│   on groups/main.tf line 20, in resource "vault_identity_group" "internal_group":
│   20: resource "vault_identity_group" "internal_group" {
│ 
╵

So what if we just make it unique?

I made quick test using your YAML and an additional group/user for the same namespace tenant.

Note that it only works with OIDC auth. I tested with LDAP and was confused because it was not working as expected.

@in0rdr in0rdr self-assigned this Aug 26, 2022
@in0rdr in0rdr added the bug Something isn't working label Aug 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@in0rdr in0rdr

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@in0rdr @ralfrebsamen