Add ability to disable an entity (#4353)

2018-04-13 21:49:40 -04:00 · 2018-04-13 21:49:40 -04:00 · 530121c655
parent c1209b0cd5
commit 530121c655
8 changed files with 299 additions and 59 deletions
--- a/helper/identity/types.pb.go
+++ b/helper/identity/types.pb.go
@ -200,6 +200,9 @@ type Entity struct {
 	// the entities belonging to a particular bucket during invalidation of the
 	// storage key.
 	BucketKeyHash string `sentinel:"" protobuf:"bytes,9,opt,name=bucket_key_hash,json=bucketKeyHash" json:"bucket_key_hash,omitempty"`
 	// Disabled indicates whether tokens associated with the account should not
 	// be able to be used
 	Disabled bool `sentinel:"" protobuf:"varint,11,opt,name=disabled" json:"disabled,omitempty"`
 }
 func (m *Entity) Reset()                    { *m = Entity{} }
@ -270,6 +273,13 @@ func (m *Entity) GetBucketKeyHash() string {
 	return ""
 }
 func (m *Entity) GetDisabled() bool {
 	if m != nil {
 		return m.Disabled
 	}
 	return false
 }
 // Alias represents the alias that gets stored inside of the
 // entity object in storage and also represents in an in-memory index of an
 // alias object.
@ -392,43 +402,44 @@ func init() {
 func init() { proto.RegisterFile("types.proto", fileDescriptor0) }
 var fileDescriptor0 = []byte{
-	// 603 bytes of a gzipped FileDescriptorProto
+	// 617 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x93, 0xdd, 0x6e, 0xd3, 0x30,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x94, 0xdd, 0x6e, 0xd3, 0x30,
-	0x14, 0xc7, 0xd5, 0xa6, 0x9f, 0x27, 0x5d, 0x37, 0x2c, 0x84, 0x4c, 0xa5, 0x41, 0x37, 0x69, 0x28,
+	0x14, 0xc7, 0xd5, 0xa6, 0x1f, 0xe9, 0x69, 0xd7, 0x0d, 0x0b, 0x21, 0x53, 0x69, 0xd0, 0x4d, 0x1a,
-	0x70, 0x91, 0x49, 0xe3, 0x86, 0x8d, 0x0b, 0x34, 0xc1, 0x80, 0x09, 0x21, 0xa1, 0x68, 0x5c, 0x47,
+	0x2a, 0x5c, 0x64, 0xd2, 0xb8, 0x61, 0xe3, 0x02, 0x4d, 0x30, 0x60, 0x42, 0x48, 0x28, 0x1a, 0xd7,
-	0x6e, 0xe2, 0xb5, 0xd6, 0x92, 0x38, 0x8a, 0x1d, 0x44, 0x5e, 0x87, 0x97, 0xe1, 0x69, 0x78, 0x07,
+	0x91, 0x1b, 0x7b, 0xad, 0xb5, 0x24, 0x8e, 0x62, 0x17, 0x91, 0xd7, 0xe1, 0xd5, 0xb8, 0xe6, 0x1d,
-	0xe4, 0xe3, 0xa6, 0x0d, 0x74, 0x7c, 0x4c, 0xdb, 0x9d, 0xf3, 0x3f, 0xc7, 0xc7, 0x27, 0xe7, 0xff,
+	0x90, 0x8f, 0x9b, 0x36, 0xd0, 0xf1, 0x31, 0x6d, 0x77, 0xf6, 0xff, 0x1c, 0x1f, 0x1f, 0x9f, 0xff,
-	0x3b, 0xe0, 0xea, 0x2a, 0xe7, 0xca, 0xcf, 0x0b, 0xa9, 0x25, 0x19, 0x88, 0x98, 0x67, 0x5a, 0xe8,
+	0x2f, 0x81, 0xbe, 0x29, 0x73, 0xa1, 0x83, 0xbc, 0x50, 0x46, 0x11, 0x5f, 0x72, 0x91, 0x19, 0x69,
-	0x6a, 0xf2, 0x78, 0x2e, 0xe5, 0x3c, 0xe1, 0x87, 0xa8, 0xcf, 0xca, 0xcb, 0x43, 0x2d, 0x52, 0xae,
+	0xca, 0xd1, 0xe3, 0x99, 0x52, 0xb3, 0x44, 0x1c, 0xa2, 0x3e, 0x5d, 0x5c, 0x1e, 0x1a, 0x99, 0x0a,
-	0x34, 0x4b, 0x73, 0x9b, 0xba, 0xff, 0xad, 0x03, 0xdd, 0x77, 0x85, 0x2c, 0x73, 0x32, 0x86, 0xb6,
+	0x6d, 0x58, 0x9a, 0xbb, 0xd4, 0xfd, 0x6f, 0x2d, 0x68, 0xbf, 0x2b, 0xd4, 0x22, 0x27, 0x43, 0x68,
-	0x88, 0x69, 0x6b, 0xda, 0xf2, 0x86, 0x41, 0x5b, 0xc4, 0x84, 0x40, 0x27, 0x63, 0x29, 0xa7, 0x6d,
+	0x4a, 0x4e, 0x1b, 0xe3, 0xc6, 0xa4, 0x17, 0x36, 0x25, 0x27, 0x04, 0x5a, 0x19, 0x4b, 0x05, 0x6d,
-	0x54, 0xf0, 0x4c, 0x26, 0x30, 0xc8, 0x65, 0x22, 0x22, 0xc1, 0x15, 0x75, 0xa6, 0x8e, 0x37, 0x0c,
+	0xa2, 0x82, 0x6b, 0x32, 0x02, 0x3f, 0x57, 0x89, 0x8c, 0xa5, 0xd0, 0xd4, 0x1b, 0x7b, 0x93, 0x5e,
-	0x56, 0xdf, 0xc4, 0x83, 0x9d, 0x9c, 0x15, 0x3c, 0xd3, 0xe1, 0xdc, 0xd4, 0x0b, 0x45, 0xac, 0x68,
+	0xb8, 0xda, 0x93, 0x09, 0xec, 0xe4, 0xac, 0x10, 0x99, 0x89, 0x66, 0xb6, 0x5e, 0x24, 0xb9, 0xa6,
-	0x07, 0x73, 0xc6, 0x56, 0xc7, 0x67, 0xce, 0x63, 0x45, 0x9e, 0xc1, 0xbd, 0x94, 0xa7, 0x33, 0x5e,
+	0x2d, 0xcc, 0x19, 0x3a, 0x1d, 0xaf, 0x39, 0xe7, 0x9a, 0x3c, 0x83, 0x7b, 0xa9, 0x48, 0xa7, 0xa2,
-	0x84, 0xb6, 0x4b, 0x4c, 0xed, 0x62, 0xea, 0xb6, 0x0d, 0x9c, 0xa1, 0x6e, 0x72, 0x8f, 0x61, 0x90,
+	0x88, 0x5c, 0x97, 0x98, 0xda, 0xc6, 0xd4, 0x6d, 0x17, 0x38, 0x43, 0xdd, 0xe6, 0x1e, 0x83, 0x9f,
-	0x72, 0xcd, 0x62, 0xa6, 0x19, 0xed, 0x4d, 0x1d, 0xcf, 0x3d, 0xda, 0xf5, 0xeb, 0xbf, 0xf3, 0xb1,
+	0x0a, 0xc3, 0x38, 0x33, 0x8c, 0x76, 0xc6, 0xde, 0xa4, 0x7f, 0xb4, 0x1b, 0x54, 0xaf, 0x0b, 0xb0,
-	0xa2, 0xff, 0x71, 0x19, 0x3f, 0xcb, 0x74, 0x51, 0x05, 0xab, 0x74, 0xf2, 0x0a, 0xb6, 0xa2, 0x82,
+	0x62, 0xf0, 0x71, 0x19, 0x3f, 0xcb, 0x4c, 0x51, 0x86, 0xab, 0x74, 0xf2, 0x0a, 0xb6, 0xe2, 0x42,
-	0x33, 0x2d, 0x64, 0x16, 0x9a, 0xdf, 0xa6, 0xfd, 0x69, 0xcb, 0x73, 0x8f, 0x26, 0xbe, 0x9d, 0x89,
+	0x30, 0x23, 0x55, 0x16, 0xd9, 0x67, 0xd3, 0xee, 0xb8, 0x31, 0xe9, 0x1f, 0x8d, 0x02, 0x37, 0x93,
-	0x5f, 0xcf, 0xc4, 0xbf, 0xa8, 0x67, 0x12, 0x8c, 0xea, 0x0b, 0x46, 0x22, 0x6f, 0x60, 0x27, 0x61,
+	0xa0, 0x9a, 0x49, 0x70, 0x51, 0xcd, 0x24, 0x1c, 0x54, 0x07, 0xac, 0x44, 0xde, 0xc0, 0x4e, 0xc2,
-	0x4a, 0x87, 0x65, 0x1e, 0x33, 0xcd, 0x6d, 0x8d, 0xc1, 0x3f, 0x6b, 0x8c, 0xcd, 0x9d, 0xcf, 0x78,
+	0xb4, 0x89, 0x16, 0x39, 0x67, 0x46, 0xb8, 0x1a, 0xfe, 0x3f, 0x6b, 0x0c, 0xed, 0x99, 0xcf, 0x78,
-	0x05, 0xab, 0xec, 0xc1, 0x28, 0x95, 0xb1, 0xb8, 0xac, 0x42, 0x91, 0xc5, 0xfc, 0x2b, 0x1d, 0x4e,
+	0x04, 0xab, 0xec, 0xc1, 0x20, 0x55, 0x5c, 0x5e, 0x96, 0x91, 0xcc, 0xb8, 0xf8, 0x4a, 0x7b, 0xe3,
-	0x5b, 0x5e, 0x27, 0x70, 0xad, 0x76, 0x6e, 0x24, 0xf2, 0x04, 0xb6, 0x67, 0x65, 0x74, 0xc5, 0x75,
+	0xc6, 0xa4, 0x15, 0xf6, 0x9d, 0x76, 0x6e, 0x25, 0xf2, 0x04, 0xb6, 0xa7, 0x8b, 0xf8, 0x4a, 0x98,
-	0x78, 0xc5, 0xab, 0x70, 0xc1, 0xd4, 0x82, 0x02, 0x4e, 0x7d, 0xcb, 0xca, 0x1f, 0x78, 0xf5, 0x9e,
+	0xe8, 0x4a, 0x94, 0xd1, 0x9c, 0xe9, 0x39, 0x05, 0x9c, 0xfa, 0x96, 0x93, 0x3f, 0x88, 0xf2, 0x3d,
-	0xa9, 0x05, 0x39, 0x80, 0x2e, 0x4b, 0x04, 0x53, 0xd4, 0xc5, 0x2e, 0xb6, 0xd7, 0x93, 0x38, 0x35,
+	0xd3, 0x73, 0x72, 0x00, 0x6d, 0x96, 0x48, 0xa6, 0x69, 0x1f, 0xbb, 0xd8, 0x5e, 0x4f, 0xe2, 0xd4,
-	0x72, 0x60, 0xa3, 0xc6, 0x39, 0x43, 0x03, 0x1d, 0x59, 0xe7, 0xcc, 0x79, 0xf2, 0x12, 0xb6, 0x7e,
+	0xca, 0xa1, 0x8b, 0x5a, 0xe7, 0x2c, 0x0d, 0x74, 0xe0, 0x9c, 0xb3, 0xeb, 0xd1, 0x4b, 0xd8, 0xfa,
-	0x99, 0x13, 0xd9, 0x01, 0xe7, 0x8a, 0x57, 0x4b, 0xbf, 0xcd, 0x91, 0xdc, 0x87, 0xee, 0x17, 0x96,
+	0x65, 0x4e, 0x64, 0x07, 0xbc, 0x2b, 0x51, 0x2e, 0xfd, 0xb6, 0x4b, 0x72, 0x1f, 0xda, 0x5f, 0x58,
-	0x94, 0xb5, 0xe3, 0xf6, 0xe3, 0xa4, 0xfd, 0xa2, 0xb5, 0xff, 0xdd, 0x81, 0x9e, 0xb5, 0x84, 0x3c,
+	0xb2, 0xa8, 0x1c, 0x77, 0x9b, 0x93, 0xe6, 0x8b, 0xc6, 0xfe, 0x77, 0x0f, 0x3a, 0xce, 0x12, 0xf2,
-	0x85, 0x3e, 0x3e, 0xc2, 0x15, 0x6d, 0xa1, 0x1d, 0x1b, 0x4d, 0xd4, 0xf1, 0x25, 0x50, 0xed, 0x0d,
+	0x14, 0xba, 0x78, 0x89, 0xd0, 0xb4, 0x81, 0x76, 0x6c, 0x34, 0x51, 0xc5, 0x97, 0x40, 0x35, 0x37,
-	0xa0, 0x9c, 0x06, 0x50, 0x27, 0x0d, 0x7b, 0x3b, 0x58, 0xef, 0xd1, 0xba, 0x9e, 0x7d, 0xf2, 0xff,
+	0x80, 0xf2, 0x6a, 0x40, 0x9d, 0xd4, 0xec, 0x6d, 0x61, 0xbd, 0x47, 0xeb, 0x7a, 0xee, 0xca, 0xff,
-	0xfd, 0xed, 0xde, 0x81, 0xbf, 0xbd, 0x1b, 0xfb, 0x8b, 0x34, 0x17, 0x73, 0x1e, 0x37, 0x69, 0xee,
+	0xf7, 0xb7, 0x7d, 0x07, 0xfe, 0x76, 0x6e, 0xec, 0x2f, 0xd2, 0x5c, 0xcc, 0x04, 0xaf, 0xd3, 0xdc,
-	0xd7, 0x34, 0x9b, 0xc0, 0x9a, 0xe6, 0xe6, 0xfe, 0x0c, 0x7e, 0xdb, 0x9f, 0x6b, 0x20, 0x18, 0x5e,
+	0xad, 0x68, 0xb6, 0x81, 0x35, 0xcd, 0xf5, 0xef, 0xc7, 0xff, 0xed, 0xfb, 0xb9, 0x06, 0x82, 0xde,
-	0x03, 0xc1, 0xed, 0x9c, 0xfc, 0xe1, 0x40, 0x17, 0x6d, 0xda, 0x58, 0xf7, 0x3d, 0x18, 0x45, 0x2c,
+	0x75, 0x10, 0x8c, 0xc0, 0xe7, 0x52, 0xb3, 0x69, 0x22, 0x38, 0x72, 0xe0, 0x87, 0xab, 0xfd, 0xed,
-	0x93, 0x99, 0x88, 0x58, 0x12, 0xae, 0x7c, 0x73, 0x57, 0xda, 0x79, 0x4c, 0x76, 0x01, 0x52, 0x59,
+	0x5c, 0xfe, 0xe1, 0x41, 0x1b, 0x2d, 0xdc, 0xf8, 0x15, 0xec, 0xc1, 0x20, 0x66, 0x99, 0xca, 0x64,
-	0x66, 0x3a, 0x44, 0xba, 0xac, 0x8d, 0x43, 0x54, 0x2e, 0xaa, 0x9c, 0x93, 0x03, 0x18, 0xdb, 0x30,
+	0xcc, 0x92, 0x68, 0xe5, 0x69, 0x7f, 0xa5, 0x9d, 0x73, 0xb2, 0x0b, 0x90, 0xaa, 0x45, 0x66, 0x22,
-	0x8b, 0x22, 0xae, 0x94, 0x2c, 0x68, 0xc7, 0xf6, 0x8f, 0xea, 0xe9, 0x52, 0x5c, 0x57, 0xc9, 0x99,
+	0x24, 0xcf, 0x59, 0xdc, 0x43, 0xe5, 0xa2, 0xcc, 0x05, 0x39, 0x80, 0xa1, 0x0b, 0xb3, 0x38, 0x16,
-	0x5e, 0xa0, 0x67, 0x75, 0x95, 0x4f, 0x4c, 0x2f, 0xfe, 0xbe, 0xf0, 0xd8, 0xfa, 0x1f, 0x81, 0xa8,
+	0x5a, 0xab, 0x82, 0xb6, 0xdc, 0xdb, 0x50, 0x3d, 0x5d, 0x8a, 0xeb, 0x2a, 0x39, 0x33, 0x73, 0xf4,
-	0x01, 0xeb, 0x37, 0x00, 0xdb, 0x80, 0x64, 0x70, 0x07, 0x90, 0x0c, 0x6f, 0x0c, 0xc9, 0x31, 0x3c,
+	0xb3, 0xaa, 0xf2, 0x89, 0x99, 0xf9, 0xdf, 0x7f, 0x06, 0xd8, 0xfa, 0x1f, 0x61, 0xa9, 0xe0, 0xeb,
-	0x5c, 0x42, 0x72, 0x59, 0xc8, 0x34, 0x6c, 0x4e, 0x5a, 0x51, 0x40, 0x12, 0x1e, 0xd8, 0x84, 0xb7,
+	0xd6, 0xe0, 0xdb, 0x00, 0xc8, 0xbf, 0x03, 0x80, 0x7a, 0x37, 0x06, 0xe8, 0x18, 0x1e, 0x2e, 0x01,
-	0x85, 0x4c, 0x5f, 0xaf, 0x87, 0xae, 0x6e, 0xe5, 0xf7, 0xac, 0x87, 0xbd, 0x3d, 0xff, 0x19, 0x00,
+	0xba, 0x2c, 0x54, 0x1a, 0xd5, 0x27, 0xad, 0x29, 0x20, 0x25, 0x0f, 0x5c, 0xc2, 0xdb, 0x42, 0xa5,
-	0x00, 0xff, 0xff, 0x8e, 0x4a, 0xc5, 0xdb, 0x1f, 0x06, 0x00, 0x00,
+	0xaf, 0xd7, 0x43, 0xd7, 0xb7, 0xf2, 0x7b, 0xda, 0xc1, 0xde, 0x9e, 0xff, 0x0c, 0x00, 0x00, 0xff,
 	0xff, 0x60, 0x0b, 0xc9, 0x74, 0x3b, 0x06, 0x00, 0x00,
 }
--- a/helper/identity/types.proto
+++ b/helper/identity/types.proto
@ -110,6 +110,10 @@ message Entity {
 	// MFASecrets holds the MFA secrets indexed by the identifier of the MFA
 	// method configuration.
 	//map<string, mfa.Secret> mfa_secrets = 10;
 	// Disabled indicates whether tokens associated with the account should not
 	// be able to be used
 	bool disabled = 11;
 }
 // Alias represents the alias that gets stored inside of the
--- a/logical/request.go
+++ b/logical/request.go
@ -273,6 +273,10 @@ var (
 	// ErrPermissionDenied is returned if the client is not authorized
 	ErrPermissionDenied = errors.New("permission denied")
 	// ErrDisabledEntity is returned if the entity tied to a token is marked as
 	// disabled
 	ErrEntityDisabled = errors.New("entity associated with token is disabled")
 	// ErrMultiAuthzPending is returned if the the request needs more
 	// authorizations
 	ErrMultiAuthzPending = errors.New("request needs further approval")
--- a/vault/core.go
+++ b/vault/core.go
@ -802,6 +802,10 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool
 		}
 	}
 	if entity != nil && entity.Disabled {
 		return nil, te, logical.ErrEntityDisabled
 	}
 	// Check if this is a root protected path
 	rootPath := c.router.RootPath(req.Path)
@ -1319,20 +1323,21 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 		return retErr
 	}
 	// Since there is no token store in standby nodes, sealing cannot be done.
 	// Ideally, the request has to be forwarded to leader node for validation
 	// and the operation should be performed. But for now, just returning with
 	// an error and recommending a vault restart, which essentially does the
 	// same thing.
 	if c.standby {
 		c.logger.Error("vault cannot seal when in standby mode; please restart instead")
 		retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead"))
 		c.stateLock.RUnlock()
 		return retErr
 	}
 	// Validate the token is a root token
 	acl, te, entity, err := c.fetchACLTokenEntryAndEntity(req.ClientToken)
 	if err != nil {
 		// Since there is no token store in standby nodes, sealing cannot
 		// be done. Ideally, the request has to be forwarded to leader node
 		// for validation and the operation should be performed. But for now,
 		// just returning with an error and recommending a vault restart, which
 		// essentially does the same thing.
 		if c.standby {
 			c.logger.Error("vault cannot seal when in standby mode; please restart instead")
 			retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead"))
 			c.stateLock.RUnlock()
 			return retErr
 		}
 		retErr = multierror.Append(retErr, err)
 		c.stateLock.RUnlock()
 		return retErr
@ -1341,10 +1346,12 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 	// Audit-log the request before going any further
 	auth := &logical.Auth{
 		ClientToken: req.ClientToken,
-		Policies:    te.Policies,
+	}
-		Metadata:    te.Meta,
+	if te != nil {
-		DisplayName: te.DisplayName,
+		auth.Policies = te.Policies
-		EntityID:    te.EntityID,
+		auth.Metadata = te.Meta
 		auth.DisplayName = te.DisplayName
 		auth.EntityID = te.EntityID
 	}
 	logInput := &audit.LogInput{
@ -1358,6 +1365,12 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 		return retErr
 	}
 	if entity != nil && entity.Disabled {
 		retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
 		c.stateLock.RUnlock()
 		return retErr
 	}
 	// Attempt to use the token (decrement num_uses)
 	// On error bail out; if the token has been revoked, bail out too
 	if te != nil {
@ -1450,10 +1463,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) {
 	// Audit-log the request before going any further
 	auth := &logical.Auth{
 		ClientToken: req.ClientToken,
-		Policies:    te.Policies,
+	}
-		Metadata:    te.Meta,
+	if te != nil {
-		DisplayName: te.DisplayName,
+		auth.Policies = te.Policies
-		EntityID:    te.EntityID,
+		auth.Metadata = te.Meta
 		auth.DisplayName = te.DisplayName
 		auth.EntityID = te.EntityID
 	}
 	logInput := &audit.LogInput{
@ -1466,6 +1481,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) {
 		return retErr
 	}
 	if entity != nil && entity.Disabled {
 		retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
 		c.stateLock.RUnlock()
 		return retErr
 	}
 	// Attempt to use the token (decrement num_uses)
 	if te != nil {
 		te, err = c.tokenStore.UseToken(ctx, te)
--- a/vault/identity_store_entities.go
+++ b/vault/identity_store_entities.go
@ -45,6 +45,10 @@ vault <command> <path> metadata=key1=value1 metadata=key2=value2
 					Type:        framework.TypeCommaStringSlice,
 					Description: "Policies to be tied to the entity.",
 				},
 				"disabled": {
 					Type:        framework.TypeBool,
 					Description: "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
 				},
 			},
 			Callbacks: map[logical.Operation]framework.OperationFunc{
 				logical.UpdateOperation: i.pathEntityRegister(),
@ -76,6 +80,10 @@ vault <command> <path> metadata=key1=value1 metadata=key2=value2
 					Type:        framework.TypeCommaStringSlice,
 					Description: "Policies to be tied to the entity.",
 				},
 				"disabled": {
 					Type:        framework.TypeBool,
 					Description: "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
 				},
 			},
 			Callbacks: map[logical.Operation]framework.OperationFunc{
 				logical.UpdateOperation: i.pathEntityIDUpdate(),
@ -354,6 +362,11 @@ func (i *IdentityStore) handleEntityUpdateCommon(req *logical.Request, d *framew
 		entity.Policies = entityPoliciesRaw.([]string)
 	}
 	disabledRaw, ok := d.GetOk("disabled")
 	if ok {
 		entity.Disabled = disabledRaw.(bool)
 	}
 	// Get the name
 	entityName := d.Get("name").(string)
 	if entityName != "" {
@ -434,6 +447,7 @@ func (i *IdentityStore) handleEntityReadCommon(entity *identity.Entity) (*logica
 	respData["metadata"] = entity.Metadata
 	respData["merged_entity_ids"] = entity.MergedEntityIDs
 	respData["policies"] = entity.Policies
 	respData["disabled"] = entity.Disabled
 	// Convert protobuf timestamp into RFC3339 format
 	respData["creation_time"] = ptypes.TimestampString(entity.CreationTime)
--- a/vault/identity_store_entities_ext_test.go
+++ b/vault/identity_store_entities_ext_test.go
@ -0,0 +1,176 @@
 package vault_test
 import (
 	"strings"
 	"testing"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/builtin/credential/approle"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/vault"
 )
 func TestIdentityStore_EntityDisabled(t *testing.T) {
 	// Use a TestCluster and the approle backend to get a token and entity for testing
 	coreConfig := &vault.CoreConfig{
 		CredentialBackends: map[string]logical.Factory{
 			"approle": approle.Factory,
 		},
 	}
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
 	cluster.Start()
 	defer cluster.Cleanup()
 	core := cluster.Cores[0].Core
 	vault.TestWaitActive(t, core)
 	client := cluster.Cores[0].Client
 	// Mount the auth backend
 	err := client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
 		Type: "approle",
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Tune the mount
 	err = client.Sys().TuneMount("auth/approle", api.MountConfigInput{
 		DefaultLeaseTTL: "5m",
 		MaxLeaseTTL:     "5m",
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Create role
 	resp, err := client.Logical().Write("auth/approle/role/role-period", map[string]interface{}{
 		"period": "5m",
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Get role_id
 	resp, err = client.Logical().Read("auth/approle/role/role-period/role-id")
 	if err != nil {
 		t.Fatal(err)
 	}
 	if resp == nil {
 		t.Fatal("expected a response for fetching the role-id")
 	}
 	roleID := resp.Data["role_id"]
 	// Get secret_id
 	resp, err = client.Logical().Write("auth/approle/role/role-period/secret-id", map[string]interface{}{})
 	if err != nil {
 		t.Fatal(err)
 	}
 	if resp == nil {
 		t.Fatal("expected a response for fetching the secret-id")
 	}
 	secretID := resp.Data["secret_id"]
 	// Login
 	resp, err = client.Logical().Write("auth/approle/login", map[string]interface{}{
 		"role_id":   roleID,
 		"secret_id": secretID,
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	if resp == nil {
 		t.Fatal("expected a response for login")
 	}
 	if resp.Auth == nil {
 		t.Fatal("expected auth object from response")
 	}
 	if resp.Auth.ClientToken == "" {
 		t.Fatal("expected a client token")
 	}
 	roleToken := resp.Auth.ClientToken
 	client.SetToken(roleToken)
 	resp, err = client.Auth().Token().LookupSelf()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if resp == nil {
 		t.Fatal("expected a response for token lookup")
 	}
 	entityIDRaw, ok := resp.Data["entity_id"]
 	if !ok {
 		t.Fatal("expected an entity ID")
 	}
 	entityID, ok := entityIDRaw.(string)
 	if !ok {
 		t.Fatal("entity_id not a string")
 	}
 	client.SetToken(cluster.RootToken)
 	resp, err = client.Logical().Write("identity/entity/id/"+entityID, map[string]interface{}{
 		"disabled": true,
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	// This call should now fail
 	client.SetToken(roleToken)
 	resp, err = client.Auth().Token().LookupSelf()
 	if err == nil {
 		t.Fatalf("expected error, got %#v", *resp)
 	}
 	if !strings.Contains(err.Error(), logical.ErrEntityDisabled.Error()) {
 		t.Fatalf("expected to see entity disabled error, got %v", err)
 	}
 	// Attempting to get a new token should also now fail
 	client.SetToken("")
 	resp, err = client.Logical().Write("auth/approle/login", map[string]interface{}{
 		"role_id":   roleID,
 		"secret_id": secretID,
 	})
 	if err == nil {
 		t.Fatalf("expected error, got %#v", *resp)
 	}
 	if !strings.Contains(err.Error(), logical.ErrEntityDisabled.Error()) {
 		t.Fatalf("expected to see entity disabled error, got %v", err)
 	}
 	client.SetToken(cluster.RootToken)
 	resp, err = client.Logical().Write("identity/entity/id/"+entityID, map[string]interface{}{
 		"disabled": false,
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	client.SetToken(roleToken)
 	resp, err = client.Auth().Token().LookupSelf()
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Getting a new token should now work again too
 	client.SetToken("")
 	resp, err = client.Logical().Write("auth/approle/login", map[string]interface{}{
 		"role_id":   roleID,
 		"secret_id": secretID,
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	if resp == nil {
 		t.Fatal("expected a response for login")
 	}
 	if resp.Auth == nil {
 		t.Fatal("expected auth object from response")
 	}
 	if resp.Auth.ClientToken == "" {
 		t.Fatal("expected a client token")
 	}
 }
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@ -204,7 +204,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 		// return invalid request so that the status codes can be correct
 		errType := logical.ErrInvalidRequest
 		switch ctErr {
-		case ErrInternalError, logical.ErrPermissionDenied:
+		case ErrInternalError, logical.ErrPermissionDenied, logical.ErrEntityDisabled:
 			errType = ctErr
 		}
@ -519,6 +519,10 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 				return nil, nil, fmt.Errorf("failed to create an entity for the authenticated alias")
 			}
 			if entity.Disabled {
 				return nil, nil, logical.ErrEntityDisabled
 			}
 			auth.EntityID = entity.ID
 			if auth.GroupAliases != nil {
 				err = c.identityStore.refreshExternalGroupMembershipsByEntityID(auth.EntityID, auth.GroupAliases)
--- a/website/source/api/secret/identity/entity.html.md
+++ b/website/source/api/secret/identity/entity.html.md
@ -26,6 +26,9 @@ This endpoint creates or updates an Entity.
 - `policies` `(list of strings: [])` – Policies to be tied to the entity.
 - `disabled` `(bool: false)` – Whether the entity is disabled. Disabled
  entities' associated tokens cannot be used, but are not revoked.
 ### Sample Payload
 ```json
@ -86,6 +89,7 @@ $ curl \
  "data": {
    "bucket_key_hash": "177553e4c58987f4cc5d7e530136c642",
    "creation_time": "2017-07-25T20:29:22.614756844Z",
    "disabled": false,
    "id": "8d6a45e5-572f-8f13-d226-cd0d1ec57297",
    "last_update_time": "2017-07-25T20:29:22.614756844Z",
    "metadata": {
@ -120,6 +124,8 @@ This endpoint is used to update an existing entity.
 - `policies` `(list of strings: [])` – Policies to be tied to the entity.
 - `disabled` `(bool: false)` – Whether the entity is disabled. Disabled
  entities' associated tokens cannot be used, but are not revoked.
 ### Sample Payload