Preflight check fails with ACL wildcard in path for kv get command

[nathkn]

Describe the bug
When using the new ACL wildcard paths like secret/data/foo/+/baz, the preflight check will fail, at least in the CLI using vault kv get, even though the vault read command succeeds

To Reproduce
Steps to reproduce the behavior:

1. Run vault dev server with the KV v2 secrets engine enabled at secret/
2. Run vault kv put secret/foo/bar/baz value=data
3. Run

vault policy write policy -<<EOF
path "secret/data/foo/+/baz" {
  capabilities = ["read"]
}
EOF

4. Create a token with that policy: vault token create -orphan -policy=policy
5. Using that token, run the following commands and receive the following results:

$ vault kv get secret/foo/bar/baz
Error making API request.

URL: GET http://localhost:8200/v1/sys/internal/ui/mounts/secret/foo/bar/baz
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "secret/foo/bar/baz/"

$ vault read secret/data/foo/bar/baz
Key         Value
---         -----
data        map[value:data]
metadata    map[deletion_time: destroyed:false version:1 created_time:2019-04-03T13:59:28.5410372Z]

Expected behavior
The preflight check should succeed.

Environment:

• Vault Server Version (retrieve with vault status): 1.1.0
• Vault CLI Version (retrieve with vault version): 1.1.0
• Server Operating System/Architecture: Debian Stretch

[jefferai]

Edit: I'm tired, ignore my claim of non-reproduction.

[jefferai]

Thanks for the complete reproduction steps!