Skip to content

Commit

Permalink
[VAULT-3252] Add entity-alias behavior change to docs (#13370)
Browse files Browse the repository at this point in the history
* Add entity-alias behavior change to docs

* Add upgrade note about entity-alias mapping change

* Rename 1.7-9 upgrade pages, shuffle upgrade note position

* Update website/content/partials/entity-alias-mapping.mdx

Co-authored-by: Meggie <[email protected]>

* Add incorrect policy issue to the docs

* Add example about entity-alias restriction

Co-authored-by: Meggie <[email protected]>
  • Loading branch information
2 people authored and actions-user committed Dec 8, 2021
1 parent 05665ce commit 6607cf1
Show file tree
Hide file tree
Showing 6 changed files with 35 additions and 17 deletions.
6 changes: 4 additions & 2 deletions website/content/docs/concepts/identity.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,13 @@ Each user may have multiple accounts with various identity providers, and Vault
supports many of those providers to authenticate with Vault. Vault Identity can
tie authentications from various auth methods to a single representation. This representation of a consolidated identity is called an **Entity** and their
corresponding accounts with authentication providers can be mapped as
**Aliases**. In essence, each entity is made up of zero or more aliases.
**Aliases**. In essence, each entity is made up of zero or more aliases. An entity cannot have more than one alias for
a particular authentication backend.

For example, a user with accounts in both GitHub and LDAP can be mapped to a
single entity in Vault with two aliases, one of type GitHub and one of type
LDAP.
LDAP. Note however, if both aliases are created on the same auth mount, say
a Github mount, both aliases cannot be mapped to the same entity.

![Entity overview](/img/vault-identity-doc-1.png)

Expand Down
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
---
layout: docs
page_title: Upgrading to Vault 1.7.0 - Guides
page_title: Upgrading to Vault 1.7.x - Guides
description: |-
This page contains the list of deprecations and important or breaking changes
for Vault 1.7.0. Please read it carefully.
for Vault 1.7.x. Please read it carefully.
---

# Overview

This page contains the list of deprecations and important or breaking changes
for Vault 1.7.0 compared to 1.6. Please read it carefully.
for Vault 1.7.x compared to 1.6. Please read it carefully.

## Barrier Key Auto-Rotation

Expand All @@ -31,6 +31,8 @@ endpoint changes is available in the [AWS Auth API docs](/api-docs/auth/aws#depr

@include 'alpine-314.mdx'

@include 'entity-alias-mapping.mdx'

## Known Issues

Due to the known issue, Transform Secrets Engine users are recommended to upgrade to version 1.7.0.
Expand All @@ -48,3 +50,4 @@ Due to the known issue, Lease Count Quota users with DR Secondaries are recommen
@include 'transform-upgrade.mdx'

@include 'lease-count-quota-upgrade.mdx'

Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
---
layout: docs
page_title: Upgrading to Vault 1.8.0 - Guides
page_title: Upgrading to Vault 1.8.x - Guides
description: |-
This page contains the list of deprecations and important or breaking changes
for Vault 1.8.0. Please read it carefully.
for Vault 1.8.x. Please read it carefully.
---

# Overview

This page contains the list of deprecations and important or breaking changes
for Vault 1.8.0 compared to 1.7. Please read it carefully.
for Vault 1.8.x compared to 1.7. Please read it carefully.

## License Enhancements

Expand Down Expand Up @@ -40,6 +40,9 @@ Notes](https://golang.org/doc/go1.16) for full details. Of particular note:

@include 'alpine-314.mdx'


@include 'entity-alias-mapping.mdx'

## Known Issues

- MSSQL integrations (storage and secrets engine) will crash with a "panic: not implemented" error
Expand Down
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
---
layout: docs
page_title: Upgrading to Vault 1.9.0 - Guides
page_title: Upgrading to Vault 1.9.x - Guides
description: |-
This page contains the list of deprecations and important or breaking changes
for Vault 1.9.0. Please read it carefully.
for Vault 1.9.x. Please read it carefully.
---

# Overview

This page contains the list of deprecations and important or breaking changes
for Vault 1.9.0 compared to 1.8. Please read it carefully.
for Vault 1.9.x compared to 1.8. Please read it carefully.

## OIDC Provider

Expand Down Expand Up @@ -56,6 +56,8 @@ To re-enable the old behavior, update the roles with a value
of `"*"` to the `allowed_extensions` parameter allowing any/all extensions to be
specified by clients.

@include 'entity-alias-mapping.mdx'

## Deprecations

### HTTP Request Counter Deprecation
Expand Down Expand Up @@ -92,3 +94,4 @@ Additionally, Go has begun doing automated cipher suite ordering and no longer
respects the order of suites given in `tls_cipher_suites`.

See [this blog post](https://go.dev/blog/tls-cipher-suites) for more information.

7 changes: 7 additions & 0 deletions website/content/partials/entity-alias-mapping.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Entity Alias mapping

Previously, an entity in Vault could be mapped to multiple entity aliases on the same authentication backend. This
led to a potential security vulnerability (CVE-2021-43998), as ACL policies templated with alias information would match the first
alias created. Thus, tokens created from all aliases of the entity, will have access to the paths containing alias
metadata of the first alias due to templated policies being incorrectly applied. As a result, the mapping behavior was updated
such that an entity can only have one alias per authentication backend. This change exists in Vault 1.9.0+, 1.8.5+ and 1.7.6+.
12 changes: 6 additions & 6 deletions website/data/docs-nav-data.json
Original file line number Diff line number Diff line change
Expand Up @@ -1462,16 +1462,16 @@
"path": "upgrading/plugins"
},
{
"title": "Upgrade to 1.9.0",
"path": "upgrading/upgrade-to-1.9.0"
"title": "Upgrade to 1.9.x",
"path": "upgrading/upgrade-to-1.9.x"
},
{
"title": "Upgrade to 1.8.0",
"path": "upgrading/upgrade-to-1.8.0"
"title": "Upgrade to 1.8.x",
"path": "upgrading/upgrade-to-1.8.x"
},
{
"title": "Upgrade to 1.7.0",
"path": "upgrading/upgrade-to-1.7.0"
"title": "Upgrade to 1.7.x",
"path": "upgrading/upgrade-to-1.7.x"
},
{
"title": "Upgrade to 1.6.3",
Expand Down

0 comments on commit 6607cf1

Please sign in to comment.