Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[VAULT-3252] Add entity-alias behavior change to docs #13370

Merged
merged 6 commits into from
Dec 8, 2021
Merged

[VAULT-3252] Add entity-alias behavior change to docs #13370

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4d6e8fe
Add entity-alias behavior change to docs
pmmukh Dec 8, 2021
4e1500c
Add upgrade note about entity-alias mapping change
pmmukh Dec 8, 2021
2a9fb20
Rename 1.7-9 upgrade pages, shuffle upgrade note position
pmmukh Dec 8, 2021
e9a7213
Update website/content/partials/entity-alias-mapping.mdx
pmmukh Dec 8, 2021
21edb57
Add incorrect policy issue to the docs
pmmukh Dec 8, 2021
22c39e9
Add example about entity-alias restriction
pmmukh Dec 8, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion website/content/docs/concepts/identity.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ Each user may have multiple accounts with various identity providers, and Vault
supports many of those providers to authenticate with Vault. Vault Identity can
tie authentications from various auth methods to a single representation. This representation of a consolidated identity is called an **Entity** and their
corresponding accounts with authentication providers can be mapped as
**Aliases**. In essence, each entity is made up of zero or more aliases.
**Aliases**. In essence, each entity is made up of zero or more aliases. An entity cannot have more than one alias for
a particular authentication backend.

For example, a user with accounts in both GitHub and LDAP can be mapped to a
single entity in Vault with two aliases, one of type GitHub and one of type
Expand Down
2 changes: 2 additions & 0 deletions website/content/docs/upgrading/upgrade-to-1.7.0.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,3 +48,5 @@ Due to the known issue, Lease Count Quota users with DR Secondaries are recommen
@include 'transform-upgrade.mdx'

@include 'lease-count-quota-upgrade.mdx'

@include 'entity-alias-mapping.mdx'
3 changes: 3 additions & 0 deletions website/content/docs/upgrading/upgrade-to-1.8.0.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ Notes](https://golang.org/doc/go1.16) for full details. Of particular note:

@include 'alpine-314.mdx'


@include 'entity-alias-mapping.mdx'

## Known Issues

- MSSQL integrations (storage and secrets engine) will crash with a "panic: not implemented" error
Expand Down
3 changes: 3 additions & 0 deletions website/content/docs/upgrading/upgrade-to-1.9.0.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,3 +92,6 @@ Additionally, Go has begun doing automated cipher suite ordering and no longer
respects the order of suites given in `tls_cipher_suites`.

See [this blog post](https://go.dev/blog/tls-cipher-suites) for more information.


@include 'entity-alias-mapping.mdx'
6 changes: 6 additions & 0 deletions website/content/partials/entity-alias-mapping.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
## Entity Alias mapping

Previously, an entity in Vault could be mapped to multiple entity aliases on the same authentication backend. This
led to a potential security vulnerability, as ACL policies templated with alias information, would match the first
pmmukh marked this conversation as resolved.
Show resolved Hide resolved
alias created. As a result, the mapping behavior was updated such that an entity can only have one alias per authentication
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't quite cover the impact of ACL policy templating matching the first alias created - could you please add a statement about the impact before "As a result"?

Copy link
Contributor Author

@pmmukh pmmukh Dec 8, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added a line about that here 21edb57, lemme know how it looks!

backend. This change exists in Vault 1.9.0+, 1.8.5+ and 1.7.6+.