Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault identity engine does not return data when updating identity groups #29150

Open
kacper1112 opened this issue Dec 11, 2024 · 1 comment
Open

Vault identity engine does not return data when updating identity groups #29150

kacper1112 opened this issue Dec 11, 2024 · 1 comment
Labels
bug Used to indicate a potential bug core/identity

Comments

@kacper1112
Copy link

Describe the bug
When updating an existing identity group by its name or its id via the CLI write or via the HTTP API POST requests, an empty response is returned from Vault. The changes are applied in the backend.

To Reproduce
We can directly follow the example from the documentation.

  1. Prepare the payload for group creation

    {
  "metadata": {
    "hello": "everyone"
  },
  "policies": ["grouppolicy2", "grouppolicy3"]
}

  2. Create the group

    curl \
    --header "X-Vault-Token: ${VAULT_TOKEN}" \
    --request POST \
    --data @payload.json \
    ${VAULT_ADDR}/v1/identity/group/name/testgroupname
    {
  "request_id": "6fa34fac-3dba-6f58-47fe-fce0eab6c1f6",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "id": "df2f29ee-5f78-93b6-48b4-526bd86620fe",
    "name": "testgroupname"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null,
  "mount_type": "identity"
}

  3. Validate group's existence

    curl \
    --header "X-Vault-Token: ${VAULT_TOKEN}" \
    ${VAULT_ADDR}/v1/identity/group/name/testgroupname
    {
  "request_id": "3bcd7fce-fea1-bf93-2584-32c524ba31f4",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "alias": {},
    "creation_time": "2024-12-11T16:07:52.460349999Z",
    "id": "df2f29ee-5f78-93b6-48b4-526bd86620fe",
    "last_update_time": "2024-12-11T16:07:52.460349999Z",
    "member_entity_ids": null,
    "member_group_ids": null,
    "metadata": {
      "hello": "everyone"
    },
    "modify_index": 1,
    "name": "testgroupname",
    "namespace_id": "root",
    "parent_group_ids": null,
    "policies": [
      "grouppolicy2",
      "grouppolicy3"
    ],
    "type": "internal"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null,
  "mount_type": "identity"
}

  4. Prepare the payload for group update (policy change in this case)

    {
  "metadata": {
    "hello": "everyone"
  },
  "policies": ["a_new_policy"]
}

  5. Update the group

    curl \
    --header "X-Vault-Token: ${VAULT_TOKEN}" \
    --request POST \
    --data @payload_update.json \
    ${VAULT_ADDR}/v1/identity/group/name/testgroupname

    empty 204 response received from Vault

  6. (optional) Validate the update

    curl \
    --header "X-Vault-Token: ${VAULT_TOKEN}" \
    ${VAULT_ADDR}/v1/identity/group/name/testgroupname
    {
  "request_id": "4b7a1091-36e8-8cd9-0681-7076d68b4f34",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "alias": {},
    "creation_time": "2024-12-11T16:07:52.460349999Z",
    "id": "df2f29ee-5f78-93b6-48b4-526bd86620fe",
    "last_update_time": "2024-12-11T16:12:24.408443433Z",
    "member_entity_ids": null,
    "member_group_ids": null,
    "metadata": {
      "hello": "everyone"
    },
    "modify_index": 2,
    "name": "testgroupname",
    "namespace_id": "root",
    "parent_group_ids": null,
    "policies": [
      "a_new_policy"
    ],
    "type": "internal"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null,
  "mount_type": "identity"
}

Expected behavior
According to the documentation (Update group by ID and Create/Update group by name) the "update" operation should return information about the group the same way as "create" does.

Environment:
Vault Server Version : 1.17.6
Vault CLI Version : Vault v1.18.2 (e36bac59ddb8e10e8912c0ddb44416c850939855), built 2024-11-20T11:24:56Z
Server Operating System/Architecture: Ubuntu 20.04 server, MacOS 15.1.1 client

Additional context
As the docs do not explicitly state what the response in case of "update" should be (it just gives a "sample), here's a supporting case:

We manage the identity groups via a custom "IaC" solution. To keep the Vault up to date, we:

  1. Iterate over the groups in the config.
  2. write the group to Vault (to either create or update it).
  3. read the group to fetch its ID (which is not stored in the local config as it's Vault generated)
  4. write a group alias to Vault (using the group fetched in 3.).

Having at least the ID always returned from the write operation, no matter if it's an "update" or "create" would save us a read for each of the groups.
@heatherezell heatherezell added bug Used to indicate a potential bug core/identity core/cli and removed core/cli labels Dec 11, 2024
@kacper1112
Copy link
Author

For more context, I found a related issue: #6852. Unfortunately seems like this is an expected behaviour for the sake of consistency 🙃 However, that was over 3 years ago - maybe things have changed?

From the code perspective seems like it would be a trivial change:

if !newGroup {
    return nil, nil
}

At the very least I would appreciate updating the documentation as it's misleading.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug core/identity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kacper1112 @heatherezell