From 4d6e8fe23989084e16d7fefc52f1954ab09b3c08 Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay Date: Wed, 8 Dec 2021 10:50:21 -0800 Subject: [PATCH 1/6] Add entity-alias behavior change to docs --- website/content/docs/concepts/identity.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/website/content/docs/concepts/identity.mdx b/website/content/docs/concepts/identity.mdx index 53d05142d129..ca1f342f0de2 100644 --- a/website/content/docs/concepts/identity.mdx +++ b/website/content/docs/concepts/identity.mdx @@ -20,7 +20,8 @@ Each user may have multiple accounts with various identity providers, and Vault supports many of those providers to authenticate with Vault. Vault Identity can tie authentications from various auth methods to a single representation. This representation of a consolidated identity is called an **Entity** and their corresponding accounts with authentication providers can be mapped as -**Aliases**. In essence, each entity is made up of zero or more aliases. +**Aliases**. In essence, each entity is made up of zero or more aliases. An entity cannot have more than one alias for +a particular authentication backend. For example, a user with accounts in both GitHub and LDAP can be mapped to a single entity in Vault with two aliases, one of type GitHub and one of type From 4e1500c1d61df5a4d2e97ce9b1741baf042a74ad Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay Date: Wed, 8 Dec 2021 11:11:32 -0800 Subject: [PATCH 2/6] Add upgrade note about entity-alias mapping change --- website/content/docs/upgrading/upgrade-to-1.7.0.mdx | 2 ++ website/content/docs/upgrading/upgrade-to-1.8.0.mdx | 3 +++ website/content/docs/upgrading/upgrade-to-1.9.0.mdx | 3 +++ website/content/partials/entity-alias-mapping.mdx | 6 ++++++ 4 files changed, 14 insertions(+) create mode 100644 website/content/partials/entity-alias-mapping.mdx diff --git a/website/content/docs/upgrading/upgrade-to-1.7.0.mdx b/website/content/docs/upgrading/upgrade-to-1.7.0.mdx index 07dfaf13fa65..aa242fe526d6 100644 --- a/website/content/docs/upgrading/upgrade-to-1.7.0.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.7.0.mdx @@ -48,3 +48,5 @@ Due to the known issue, Lease Count Quota users with DR Secondaries are recommen @include 'transform-upgrade.mdx' @include 'lease-count-quota-upgrade.mdx' + +@include 'entity-alias-mapping.mdx' diff --git a/website/content/docs/upgrading/upgrade-to-1.8.0.mdx b/website/content/docs/upgrading/upgrade-to-1.8.0.mdx index 4f7133b8b77c..aeeda73aae61 100644 --- a/website/content/docs/upgrading/upgrade-to-1.8.0.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.8.0.mdx @@ -40,6 +40,9 @@ Notes](https://golang.org/doc/go1.16) for full details. Of particular note: @include 'alpine-314.mdx' + +@include 'entity-alias-mapping.mdx' + ## Known Issues - MSSQL integrations (storage and secrets engine) will crash with a "panic: not implemented" error diff --git a/website/content/docs/upgrading/upgrade-to-1.9.0.mdx b/website/content/docs/upgrading/upgrade-to-1.9.0.mdx index e4a11a0bcc06..257be7906edf 100644 --- a/website/content/docs/upgrading/upgrade-to-1.9.0.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.9.0.mdx @@ -92,3 +92,6 @@ Additionally, Go has begun doing automated cipher suite ordering and no longer respects the order of suites given in `tls_cipher_suites`. See [this blog post](https://go.dev/blog/tls-cipher-suites) for more information. + + +@include 'entity-alias-mapping.mdx' diff --git a/website/content/partials/entity-alias-mapping.mdx b/website/content/partials/entity-alias-mapping.mdx new file mode 100644 index 000000000000..c2e64d02ab6a --- /dev/null +++ b/website/content/partials/entity-alias-mapping.mdx @@ -0,0 +1,6 @@ +## Entity Alias mapping + +Previously, an entity in Vault could be mapped to multiple entity aliases on the same authentication backend. This +led to a potential security vulnerability, as ACL policies templated with alias information, would match the first +alias created. As a result, the mapping behavior was updated such that an entity can only have one alias per authentication +backend. This change exists in Vault 1.9.0+, 1.8.5+ and 1.7.6+. \ No newline at end of file From 2a9fb2097f80cc22993ced66bac66bb95462bad7 Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay Date: Wed, 8 Dec 2021 11:48:25 -0800 Subject: [PATCH 3/6] Rename 1.7-9 upgrade pages, shuffle upgrade note position --- .../{upgrade-to-1.7.0.mdx => upgrade-to-1.7.x.mdx} | 9 +++++---- .../{upgrade-to-1.8.0.mdx => upgrade-to-1.8.x.mdx} | 6 +++--- .../{upgrade-to-1.9.0.mdx => upgrade-to-1.9.x.mdx} | 10 +++++----- website/data/docs-nav-data.json | 12 ++++++------ 4 files changed, 19 insertions(+), 18 deletions(-) rename website/content/docs/upgrading/{upgrade-to-1.7.0.mdx => upgrade-to-1.7.x.mdx} (92%) rename website/content/docs/upgrading/{upgrade-to-1.8.0.mdx => upgrade-to-1.8.x.mdx} (95%) rename website/content/docs/upgrading/{upgrade-to-1.9.0.mdx => upgrade-to-1.9.x.mdx} (96%) diff --git a/website/content/docs/upgrading/upgrade-to-1.7.0.mdx b/website/content/docs/upgrading/upgrade-to-1.7.x.mdx similarity index 92% rename from website/content/docs/upgrading/upgrade-to-1.7.0.mdx rename to website/content/docs/upgrading/upgrade-to-1.7.x.mdx index aa242fe526d6..23c8077d34c1 100644 --- a/website/content/docs/upgrading/upgrade-to-1.7.0.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.7.x.mdx @@ -1,15 +1,15 @@ --- layout: docs -page_title: Upgrading to Vault 1.7.0 - Guides +page_title: Upgrading to Vault 1.7.x - Guides description: |- This page contains the list of deprecations and important or breaking changes - for Vault 1.7.0. Please read it carefully. + for Vault 1.7.x. Please read it carefully. --- # Overview This page contains the list of deprecations and important or breaking changes -for Vault 1.7.0 compared to 1.6. Please read it carefully. +for Vault 1.7.x compared to 1.6. Please read it carefully. ## Barrier Key Auto-Rotation @@ -31,6 +31,8 @@ endpoint changes is available in the [AWS Auth API docs](/api-docs/auth/aws#depr @include 'alpine-314.mdx' +@include 'entity-alias-mapping.mdx' + ## Known Issues Due to the known issue, Transform Secrets Engine users are recommended to upgrade to version 1.7.0. @@ -49,4 +51,3 @@ Due to the known issue, Lease Count Quota users with DR Secondaries are recommen @include 'lease-count-quota-upgrade.mdx' -@include 'entity-alias-mapping.mdx' diff --git a/website/content/docs/upgrading/upgrade-to-1.8.0.mdx b/website/content/docs/upgrading/upgrade-to-1.8.x.mdx similarity index 95% rename from website/content/docs/upgrading/upgrade-to-1.8.0.mdx rename to website/content/docs/upgrading/upgrade-to-1.8.x.mdx index aeeda73aae61..5fd3f0fbe0a4 100644 --- a/website/content/docs/upgrading/upgrade-to-1.8.0.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.8.x.mdx @@ -1,15 +1,15 @@ --- layout: docs -page_title: Upgrading to Vault 1.8.0 - Guides +page_title: Upgrading to Vault 1.8.x - Guides description: |- This page contains the list of deprecations and important or breaking changes - for Vault 1.8.0. Please read it carefully. + for Vault 1.8.x. Please read it carefully. --- # Overview This page contains the list of deprecations and important or breaking changes -for Vault 1.8.0 compared to 1.7. Please read it carefully. +for Vault 1.8.x compared to 1.7. Please read it carefully. ## License Enhancements diff --git a/website/content/docs/upgrading/upgrade-to-1.9.0.mdx b/website/content/docs/upgrading/upgrade-to-1.9.x.mdx similarity index 96% rename from website/content/docs/upgrading/upgrade-to-1.9.0.mdx rename to website/content/docs/upgrading/upgrade-to-1.9.x.mdx index 257be7906edf..ed70722ab2ff 100644 --- a/website/content/docs/upgrading/upgrade-to-1.9.0.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.9.x.mdx @@ -1,15 +1,15 @@ --- layout: docs -page_title: Upgrading to Vault 1.9.0 - Guides +page_title: Upgrading to Vault 1.9.x - Guides description: |- This page contains the list of deprecations and important or breaking changes - for Vault 1.9.0. Please read it carefully. + for Vault 1.9.x. Please read it carefully. --- # Overview This page contains the list of deprecations and important or breaking changes -for Vault 1.9.0 compared to 1.8. Please read it carefully. +for Vault 1.9.x compared to 1.8. Please read it carefully. ## OIDC Provider @@ -56,6 +56,8 @@ To re-enable the old behavior, update the roles with a value of `"*"` to the `allowed_extensions` parameter allowing any/all extensions to be specified by clients. +@include 'entity-alias-mapping.mdx' + ## Deprecations ### HTTP Request Counter Deprecation @@ -93,5 +95,3 @@ respects the order of suites given in `tls_cipher_suites`. See [this blog post](https://go.dev/blog/tls-cipher-suites) for more information. - -@include 'entity-alias-mapping.mdx' diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 9acc95bd313c..a85f89dcdb31 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -1470,16 +1470,16 @@ "path": "upgrading/plugins" }, { - "title": "Upgrade to 1.9.0", - "path": "upgrading/upgrade-to-1.9.0" + "title": "Upgrade to 1.9.x", + "path": "upgrading/upgrade-to-1.9.x" }, { - "title": "Upgrade to 1.8.0", - "path": "upgrading/upgrade-to-1.8.0" + "title": "Upgrade to 1.8.x", + "path": "upgrading/upgrade-to-1.8.x" }, { - "title": "Upgrade to 1.7.0", - "path": "upgrading/upgrade-to-1.7.0" + "title": "Upgrade to 1.7.x", + "path": "upgrading/upgrade-to-1.7.x" }, { "title": "Upgrade to 1.6.3", From e9a721327e25deb74c72594679fec742de62c85c Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay <35388175+pmmukh@users.noreply.github.com> Date: Wed, 8 Dec 2021 11:50:06 -0800 Subject: [PATCH 4/6] Update website/content/partials/entity-alias-mapping.mdx Co-authored-by: Meggie --- website/content/partials/entity-alias-mapping.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/partials/entity-alias-mapping.mdx b/website/content/partials/entity-alias-mapping.mdx index c2e64d02ab6a..e696b82ed65e 100644 --- a/website/content/partials/entity-alias-mapping.mdx +++ b/website/content/partials/entity-alias-mapping.mdx @@ -1,6 +1,6 @@ ## Entity Alias mapping Previously, an entity in Vault could be mapped to multiple entity aliases on the same authentication backend. This -led to a potential security vulnerability, as ACL policies templated with alias information, would match the first +led to a potential security vulnerability (CVE-2021-43998), as ACL policies templated with alias information would match the first alias created. As a result, the mapping behavior was updated such that an entity can only have one alias per authentication backend. This change exists in Vault 1.9.0+, 1.8.5+ and 1.7.6+. \ No newline at end of file From 21edb578d98c39187b8b47f625036f0ebd2e6aaa Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay Date: Wed, 8 Dec 2021 12:32:18 -0800 Subject: [PATCH 5/6] Add incorrect policy issue to the docs --- website/content/partials/entity-alias-mapping.mdx | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/website/content/partials/entity-alias-mapping.mdx b/website/content/partials/entity-alias-mapping.mdx index e696b82ed65e..b8b3e4e37a80 100644 --- a/website/content/partials/entity-alias-mapping.mdx +++ b/website/content/partials/entity-alias-mapping.mdx @@ -2,5 +2,6 @@ Previously, an entity in Vault could be mapped to multiple entity aliases on the same authentication backend. This led to a potential security vulnerability (CVE-2021-43998), as ACL policies templated with alias information would match the first -alias created. As a result, the mapping behavior was updated such that an entity can only have one alias per authentication -backend. This change exists in Vault 1.9.0+, 1.8.5+ and 1.7.6+. \ No newline at end of file +alias created. Thus, tokens created from all aliases of the entity, will have access to the paths containing alias +metadata of the first alias due to templated policies being incorrectly applied. As a result, the mapping behavior was updated +such that an entity can only have one alias per authentication backend. This change exists in Vault 1.9.0+, 1.8.5+ and 1.7.6+. \ No newline at end of file From 22c39e9c471f176b541682fea7a4761d4f08c041 Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay Date: Wed, 8 Dec 2021 13:11:56 -0800 Subject: [PATCH 6/6] Add example about entity-alias restriction --- website/content/docs/concepts/identity.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/website/content/docs/concepts/identity.mdx b/website/content/docs/concepts/identity.mdx index ca1f342f0de2..51d47a8acd58 100644 --- a/website/content/docs/concepts/identity.mdx +++ b/website/content/docs/concepts/identity.mdx @@ -25,7 +25,8 @@ a particular authentication backend. For example, a user with accounts in both GitHub and LDAP can be mapped to a single entity in Vault with two aliases, one of type GitHub and one of type -LDAP. +LDAP. Note however, if both aliases are created on the same auth mount, say +a Github mount, both aliases cannot be mapped to the same entity. ![Entity overview](/img/vault-identity-doc-1.png)