8000 UI permissions errors for Tokens generated in Chroot Namespace · Issue #30574 · hashicorp/vault · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

UI permissions errors for Tokens generated in Chroot Namespace #30574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
moo-im-a-cow opened this issue May 11, 2025 · 1 comment
Open

UI permissions errors for Tokens generated in Chroot Namespace #30574

moo-im-a-cow opened this issue May 11, 2025 · 1 comment
Labels
bug Used to indicate a potential bug enterprise-customer ui

Comments

@moo-im-a-cow
Copy link

Describe the bug
if you have a chroot namespace set up like this:

listener "tcp" {
  address = "127.0.0.1:8200"
  chroot_namespace = "prod"
}

tokens generated in that namespace will be unable to use the UI due to permisisons errors.
assuming the chroot namespace is prod, the UI thinks the token belongs to prod/prod instead of prod (which the UI should see as root ns)
This issue is present for OIDC tokens,
but it's also present for userpass tokens, but only if you log in, copy the token, and then use the token to log in
I havent tried other types of tokens.

  1. log in
  2. UI makes get request to auth/token/lookup-self, with no namespace header. the response contains field data.namespace_path = prod
  3. localstorage->vault-token☃1 has field userRootNamespace = prod
  4. all future requests use localstorage->vault-token☃1.userRootNamespace to add header X-Vault-Namespace: prod to all requests
  5. because of the chroot namespace, vault server treats the requests as asking for namespace prod/prod, which fails
  6. manually setting localstorage->vault-token☃1.userRootNamespace to empty makes vault behave correctly, requests are successful (because UI now tries to access root namespace, which vault transforms into prod)

Expected behavior
A clear and concise description of what you expected to happen.

Environment:

  • Vault Server Version: 1.19.3+ent
  • Server Operating System/Architecture: docker on ARM, kernel 6.13.6-200.fc41.aarch64

Vault server configuration file(s):

storage "raft" {
  path    = "/data"
  node_id = "node1"
}
listener "tcp" {
  address                           = "0.0.0.0:8200" # vault_root.REMOVED
  tls_disable                       = "true"
  x_forwarded_for_authorized_addrs  = "172.20.0.3"

}
listener "tcp" {
  address                           = "0.0.0.0:8201" # vault_dev.REMOVED
  tls_disable                       = "true"
  chroot_namespace                  = "dev"
  x_forwarded_for_authorized_addrs  = "172.20.0.3"
}

listener "tcp" {
  address                           = "0.0.0.0:8202" # vault.REMOVED
  tls_disable                       = "true"
  chroot_namespace                  = "prod"
  x_forwarded_for_authorized_addrs  = "172.20.0.3"
}


plugin_directory = "/plugins"

api_addr = "https://vault_root.DOMAIN"
cluster_addr = "https://127.0.0.1:8201"
ui = true

sentinel {
  additional_enabled_modules = ["http"]
}

docker-compose.yml

services:
  vault:
    restart: always
    image: hashicorp/vault:latest
    environment:
      - VAULT_LICENSE=REMOVED
    ports:
      - 5696:5696
    cap_add:
      - IPC_LOCK
    volumes:
      - ./plugins:/plugins
      - ./data:/data
      - ./config.hcl:/config.hcl
    healthcheck:
      retries: 5
    command: server -config=/config.hcl
  cloudflared:
    image: cloudflare/cloudflared:latest
    command: tunnel run REMOVED
    restart: always
    volumes:
      - ./cloudflare:/etc/cloudflared
@heatherezell heatherezell added ui bug Used to indicate a potential bug enterprise-customer labels May 13, 2025
@heatherezell
Copy link
Contributor

Hello! Since you're an Enterprise customer, I recommend opening a ticket with support to get the fastest response time. Please feel free to share this issue ID with them as well. Thanks! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug enterprise-customer ui
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@moo-im-a-cow @heatherezell
0