Add notes re dangers of identity write endpoints. (#12365)
This commit is contained in:
parent
8314a6a5f7
commit
8154cd2e4a
|
@ -6,6 +6,11 @@ description: >-
|
||||||
store.
|
store.
|
||||||
---
|
---
|
||||||
|
|
||||||
|
~> **NOTE:** Be careful in granting permissions to non-readonly identity endpoints.
|
||||||
|
If a user can modify an entity, they can grant it additional privileges through
|
||||||
|
policies. If a user can modify an alias they can login with, they can bind it to
|
||||||
|
an entity with higher privileges.
|
||||||
|
|
||||||
## Create an Entity Alias
|
## Create an Entity Alias
|
||||||
|
|
||||||
This endpoint creates a new alias for an entity.
|
This endpoint creates a new alias for an entity.
|
||||||
|
|
|
@ -4,6 +4,10 @@ page_title: 'Identity Secret Backend: Group - HTTP API'
|
||||||
description: This is the API documentation for managing groups in the identity store.
|
description: This is the API documentation for managing groups in the identity store.
|
||||||
---
|
---
|
||||||
|
|
||||||
|
~> **NOTE:** Be careful in granting permissions to non-readonly identity group
|
||||||
|
endpoints. If a user can modify group membership, they can add their entity to
|
||||||
|
a group with higher privileges.
|
||||||
|
|
||||||
## Create a Group
|
## Create a Group
|
||||||
|
|
||||||
This endpoint creates or updates a Group.
|
This endpoint creates or updates a Group.
|
||||||
|
|
|
@ -70,6 +70,12 @@ _additional_ capabilities and not a replacement for the policies on the token.
|
||||||
To know the full set of capabilities of the token with an associated entity
|
To know the full set of capabilities of the token with an associated entity
|
||||||
identifier, the policies on the token should be taken into account.
|
identifier, the policies on the token should be taken into account.
|
||||||
|
|
||||||
|
~> **NOTE:** Be careful in granting permissions to non-readonly identity endpoints.
|
||||||
|
If a user can modify an entity, they can grant it additional privileges through
|
||||||
|
policies. If a user can modify an alias they can login with, they can bind it to
|
||||||
|
an entity with higher privileges. If a user can modify group membership, they
|
||||||
|
can add their entity to a group with higher privileges.
|
||||||
|
|
||||||
### Mount Bound Aliases
|
### Mount Bound Aliases
|
||||||
|
|
||||||
Vault supports multiple authentication backends and also allows enabling the
|
Vault supports multiple authentication backends and also allows enabling the
|
||||||
|
|
Loading…
Reference in a new issue