pivotal/credhub-release

ACL permission problem

jeffrey-hoc opened this issue · 2 comments

jeffrey-hoc commented

tl;dr:
We found the reason for the not working ACLs in credhub. There is a database table called "permissions" in credhub which contains all created permissions.
Unfortunately if you update one permissions it is not updating the existing entry in the table.
It is adding another table line. So if for example you change a permission path from /test/test to /test2/test2 both ACLS are matching. Workaround is to truncate the Table before updating existing Credhub ACLs.

Long version:
We think we found a bug in ACL handling.

In our environment we are using the bosh with uaa and credhub, for a multitenant we enabled acl and setup a permission block.

Exampled was copied from the spec file:
https://github.com/pivotal/credhub-release/blob/master/jobs/credhub/spec

permissions:
      - path: /test/*
        actors: [uaa-user:UAA-UUID,uaa-user:UAA-UUID]
        operations: [read,write,delete,read_acl,write_acl]
      - path: "/concourse/*"
        actors: [uaa-client:concourse]
        operations: [read]

Deployed the manifest and accessed the /test/test credential

Next we changed the permission:

permissions:
      - path: /concourse/*
        actors: [uaa-user:UAA-UUID,uaa-user:UAA-UUID]
        operations: [read,write,delete,read_acl,write_acl]
      - path: "/concourse/*"
        actors: [uaa-client:concourse]
        operations: [read]

Deployed the manifest and accessed the credential, now we are able to see /test/* and /concourse/*

But normally the user should only see /concourse/*

We investigated the problem and found out that the permission block gets written to the database. But it does not check if there is already a permission in place.

It will just add the permission at the end of the table and credhub will find multiple matching permission and displays all of them to the user.

Our solution was to truncated the permission table and then deploy the manifest again.

What version of the credhub server you are using?
Server Version: 2.5.9

What version of the credhub cli you are using?
CLI Version: 2.7.0

cf-gitbot commented

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/172172020

The labels on this github issue will be updated when the story is started.

zzori-theoriginal commented

Hi! Thank you for reaching out. This is actually expected behavior for BOSH. It will only add new permissions or update the operations for existing permissions, but it won't delete permissions. Unfortunately, you will have to talk to CredHub directly to delete those permissions.