Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identity groups not properly cleaned/merged with identity/entity/merge request #10084

Closed
mdgreenfield opened this issue Oct 3, 2020 · 1 comment · Fixed by #10085
Closed

Identity groups not properly cleaned/merged with identity/entity/merge request #10084

mdgreenfield opened this issue Oct 3, 2020 · 1 comment · Fixed by #10085
Labels
bug Used to indicate a potential bug core/identity

Comments

@mdgreenfield
Copy link
Contributor

Describe the bug
Assume there are two entities, toEntity and fromEntity. fromEntity is a member of groupA. If fromEntity is merged into toEntity a success message is returned. However, there are several problems:

  1. groupA does not have the fromEntity ID removed from member_entity_ids. Trying to update groupA's name only results in an error.
  2. toEntity does not have its direct_group_ids updated to include the groupA ID of fromEntity.

To Reproduce
Steps to reproduce the behavior:

  1. Run vault server -dev
  2. Create fromEntity - fromEntity=$(vault write -field=id identity/entity name=child)
  3. Create toEntity - toEntity=$(vault write -field=id identity/entity name=parent)
  4. Create groupA - groupA=$(vault write -field=id identity/group name=groupA member_entity_ids=$fromEntity)
  5. Merge fromEntity into toEntity - vault write identity/entity/merge to_entity_id=$toEntity from_entity_ids=$fromEntity
  6. Update groupA name to updatedGroupA - vault write identity/group/id/$groupA name=updatedGroupA. Observe this results in the following error: 
    Error writing data to identity/group/id/08dabd46-bfa9-8bc1-ce15-1a154e9fa50a: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/identity/group/id/08dabd46-bfa9-8bc1-ce15-1a154e9fa50a
Code: 500. Errors:

* 1 error occurred:
        * invalid entity ID "ff767f9f-aa78-a4c0-98f8-f1bf1548ab66"
  7. Fetch groupA member entity ID - groupA_member_id=$(vault read -field=member_entity_ids -format=json identity/group/id/$groupA | jq -r '.[0]')
  8. Read the member entity ID and observe it does not exist - vault read identity/entity/id/$groupA_member_id
  9. Read the group IDs linked to toEntity and observe that the group IDs are valid - vault read -field=group_ids identity/entity/id/$toEntity

Expected behavior
The groupA member_entity_ids should not contain an effectively deleted entity ID and merged entities should have their groups merged into the parent entity.

Environment:

  • Vault Server Version (retrieve with vault status): 1.5.4
  • Vault CLI Version (retrieve with vault version): 1.5.4

Additional context
Whether or not groups should get merged into the toEntity I'm less sure about because when identity/entity/merge is called policies are not merged. However, it does look like policies maybe get merged when an implicit entity is created on login.
@mdgreenfield mdgreenfield mentioned this issue Oct 3, 2020
Merged
@raskchanky raskchanky added bug Used to indicate a potential bug core/identity labels Oct 5, 2020
@indjb indjb mentioned this issue Oct 23, 2020
Closed
@hghaf099
Copy link
Contributor

Waiting for response in the PR

mdgreenfield added a commit to mdgreenfield/vault that referenced this issue Sep 28, 2021
@mdgreenfield
Fix entity group associations
b2d88d8 
- When two entities are merged, remove the from entity ID in any
  associated groups.
- When two entities are merged, also merge their associated group
  memberships.

Fixes hashicorp#10084
hghaf099 pushed a commit that referenced this issue Oct 1, 2021
@mdgreenfield
Fix entity group associations (#10085)
2844dfa 
- When two entities are merged, remove the from entity ID in any
  associated groups.
- When two entities are merged, also merge their associated group
  memberships.

Fixes #10084
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug core/identity
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix entity group associations mdgreenfield/vault
3 participants
@raskchanky @mdgreenfield @hghaf099