path-help doesn't work on some paths #18566

jacob-faber · 2022-12-28T11:48:21Z

Describe the bug
path-help doesn't work on some paths, for example: vault path-help sys/auth/userpass/tune.

To Reproduce
Steps to reproduce the behavior:

Create vault policy (see admin-policy) and associate it to the user
Login to vault as a user (vault login -method=userpass username=user)
Try vault path-help sys/auth/userpass/tune

Expected behavior
I can read sys/auth/userpass/tune, it should be also possible to see help with path-help.

Environment:

Vault Server Version (retrieve with vault status): 1.12.2
Vault CLI Version (retrieve with vault version): v1.12.2
Server Operating System/Architecture: External vault in docker container

Vault server configuration file(s):

admin-policy

path "*" {
	capabilities = ["create", "read", "update", "delete", "list", "patch","sudo"]
}

Login with user that has admin-policy.

➜  ~ vault login -method=userpass username=user
Password (will be hidden): 
Initiating Interactive MFA Validation...
Enter the passphrase for methodID "2d8ae368-de86-bed8-2604-9d417891b42f" of type "totp": 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.CAESIDqSgwjga3xfj_CYnRm1HfaAYNt8goZXpvDDU5vk7ET9Gh4KHGh2cy41aUVyY2hFSWtBOXXXXXXXXXXXXXXX
token_accessor         wNavuIhpO5yqVHEjOXXXXX
token_duration         72h
token_renewable        true
token_policies         ["default"]
identity_policies      ["admin-policy"]
policies               ["admin-policy" "default"]
token_meta_username    user

I can read sys/auth/userpass/tune path.

➜  ~ vault read sys/auth/userpass/tune
Key                   Value
---                   -----
default_lease_ttl     72h
description           n/a
force_no_cache        false
listing_visibility    hidden
max_lease_ttl         720h
token_type            default-service

I can't get path-help of sys/auth/userpass/tune path - it works with root login.

➜  ~ vault path-help sys/auth/userpass/tune
Error retrieving help: Error making API request.

URL: GET https://vault.example.com:8200/v1/sys/auth/userpass/tune?help=1
Code: 403. Errors:

* 1 error occurred:
	* permission denied

The text was updated successfully, but these errors were encountered:

Fixes hashicorp#18566

* Fix HelpOperation on sudo-protected paths Fixes #18566 * Add changelog

maxb mentioned this issue Dec 28, 2022

Fix HelpOperation on sudo-protected paths #18568

Merged

maxb added a commit to maxb/vault that referenced this issue Dec 28, 2022

Fix HelpOperation on sudo-protected paths

c82ff02

Fixes hashicorp#18566

heatherezell added the bug Used to indicate a potential bug label Jan 4, 2023

ltcarbonell closed this as completed in #18568 Jan 10, 2023

ltcarbonell pushed a commit that referenced this issue Jan 10, 2023

Fix HelpOperation on sudo-protected paths (#18568)

4758cc8

* Fix HelpOperation on sudo-protected paths Fixes #18566 * Add changelog

AnPucel pushed a commit that referenced this issue Jan 14, 2023

Fix HelpOperation on sudo-protected paths (#18568)

05d8380

* Fix HelpOperation on sudo-protected paths Fixes #18566 * Add changelog

AnPucel pushed a commit that referenced this issue Feb 3, 2023

Fix HelpOperation on sudo-protected paths (#18568)

3c85249

* Fix HelpOperation on sudo-protected paths Fixes #18566 * Add changelog

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

path-help doesn't work on some paths #18566

path-help doesn't work on some paths #18566

jacob-faber commented Dec 28, 2022 •

edited

Loading

path-help doesn't work on some paths #18566

path-help doesn't work on some paths #18566

Comments

jacob-faber commented Dec 28, 2022 • edited Loading

jacob-faber commented Dec 28, 2022 •

edited

Loading