Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to create a entity-alias based on the common-name with cert login #4475

Closed
vinzent opened this issue Apr 27, 2018 · 0 comments
Closed

Not able to create a entity-alias based on the common-name with cert login #4475

vinzent opened this issue Apr 27, 2018 · 0 comments
Milestone
0.10.2

Comments

@vinzent
Copy link

vinzent commented Apr 27, 2018

Environment:

  • Vault Version: Vault v0.10.1 ('756fdc4587350daf1c65b93647b2cc31a6f119cd')
  • Operating System/Architecture: Fedora 27

Vault Config File:

disable_mlock = true

storage "inmem" {
}

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_cert_file = "pki/issued/vault.local.crt"
  tls_key_file = "pki/private/vault.local.key"
  tls_client_ca_file  = "pki/ca.crt"
}

Startup Log Output:

==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "enabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
                 Storage: inmem
                 Version: Vault v0.10.1
             Version Sha: 756fdc4587350daf1c65b93647b2cc31a6f119cd

==> Vault server started! Log data will stream in below:

2018-04-26T17:56:35.892+0200 [INFO ] core: security barrier not initialized
2018-04-26T17:56:35.892+0200 [INFO ] core: security barrier initialized: shares=1 threshold=1
2018-04-26T17:56:35.892+0200 [INFO ] core: post-unseal setup starting
2018-04-26T17:56:35.901+0200 [INFO ] core: loaded wrapping token key
2018-04-26T17:56:35.901+0200 [INFO ] core: successfully setup plugin catalog: plugin-directory=
2018-04-26T17:56:35.901+0200 [INFO ] core: no mounts; adding default mount table
2018-04-26T17:56:35.901+0200 [INFO ] core: successfully mounted backend: type=kv path=secret/
2018-04-26T17:56:35.901+0200 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2018-04-26T17:56:35.902+0200 [INFO ] core: successfully mounted backend: type=system path=sys/
2018-04-26T17:56:35.902+0200 [INFO ] core: successfully mounted backend: type=identity path=identity/
2018-04-26T17:56:35.903+0200 [INFO ] core: restoring leases
2018-04-26T17:56:35.903+0200 [INFO ] rollback: starting rollback manager
2018-04-26T17:56:35.903+0200 [INFO ] expiration: lease restore complete
2018-04-26T17:56:35.903+0200 [INFO ] identity: entities restored
2018-04-26T17:56:35.903+0200 [INFO ] identity: groups restored
2018-04-26T17:56:35.903+0200 [INFO ] core: post-unseal setup complete
2018-04-26T17:56:35.904+0200 [INFO ] core: root token generated
2018-04-26T17:56:35.904+0200 [INFO ] core: pre-seal teardown starting
2018-04-26T17:56:35.904+0200 [INFO ] core: cluster listeners not running
2018-04-26T17:56:35.904+0200 [INFO ] rollback: stopping rollback manager
2018-04-26T17:56:35.904+0200 [INFO ] core: pre-seal teardown complete
2018-04-26T17:56:57.859+0200 [INFO ] core: vault is unsealed
2018-04-26T17:56:57.859+0200 [INFO ] core: post-unseal setup starting
2018-04-26T17:56:57.859+0200 [INFO ] core: loaded wrapping token key
2018-04-26T17:56:57.859+0200 [INFO ] core: successfully setup plugin catalog: plugin-directory=
2018-04-26T17:56:57.860+0200 [INFO ] core: successfully mounted backend: type=kv path=secret/
2018-04-26T17:56:57.860+0200 [INFO ] core: successfully mounted backend: type=system path=sys/
2018-04-26T17:56:57.861+0200 [INFO ] core: successfully mounted backend: type=identity path=identity/
2018-04-26T17:56:57.861+0200 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2018-04-26T17:56:57.864+0200 [INFO ] core: restoring leases
2018-04-26T17:56:57.864+0200 [INFO ] rollback: starting rollback manager
2018-04-26T17:56:57.865+0200 [INFO ] identity: entities restored
2018-04-26T17:56:57.865+0200 [INFO ] identity: groups restored
2018-04-26T17:56:57.865+0200 [INFO ] core: post-unseal setup complete
2018-04-26T17:56:57.865+0200 [INFO ] expiration: lease restore complete
2018-04-26 17:59:19.493914 I | http: TLS handshake error from 127.0.0.1:38278: remote error: tls: bad certificate
2018-04-26T18:02:38.049+0200 [INFO ] core: enabled credential backend: path=cert/ type=cert
2018-04-26T21:15:43.483+0200 [INFO ] expiration: revoked lease: lease_id=auth/cert/login/9456dd51a650ae7b4b2188768b34a14508fef0d6
2018-04-27T07:49:16.721+0200 [INFO ] expiration: revoked lease: lease_id=auth/cert/login/a3e6330e19da60eb56b6c376b54ca62c11004810

Expected Behavior:
After adding a entity-alias with

./vault write identity/entity-alias name=client.local canonical_id=dadf932f-9d67-9ffb-a3d8-008be657451e mount_accessor=auth_cert_6789a1c8

a login with the cert with the CN client.local should map to the canonical_id defined here.

Actual Behavior:
A new entity-alias is added on login based on the

Steps to Reproduce:

  • enable cert auth
  • add entity for client.local
  • add enttity-alias for cert auth and common-name client.local which maps to entity clientlocal
  • login with cert

see also mailinglist discussion: https://groups.google.com/d/msg/vault-tool/aOVWxq0SxRM/eaGd0IXRAwAJ

Important Factoids:
complete config and certs can be found here: https://github.com/vinzent/vault-playground

References:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.10.2
Development

No branches or pull requests
2 participants
@jefferai @vinzent