Add notes re dangers of identity write endpoints. (#12365)

This commit is contained in:
Nick Cabatoff 2021-08-30 16:23:33 +02:00 committed by GitHub
parent 8314a6a5f7
commit 8154cd2e4a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 0 deletions

View file

@ -6,6 +6,11 @@ description: >-
store. store.
--- ---
~> **NOTE:** Be careful in granting permissions to non-readonly identity endpoints.
If a user can modify an entity, they can grant it additional privileges through
policies. If a user can modify an alias they can login with, they can bind it to
an entity with higher privileges.
## Create an Entity Alias ## Create an Entity Alias
This endpoint creates a new alias for an entity. This endpoint creates a new alias for an entity.

View file

@ -4,6 +4,10 @@ page_title: 'Identity Secret Backend: Group - HTTP API'
description: This is the API documentation for managing groups in the identity store. description: This is the API documentation for managing groups in the identity store.
--- ---
~> **NOTE:** Be careful in granting permissions to non-readonly identity group
endpoints. If a user can modify group membership, they can add their entity to
a group with higher privileges.
## Create a Group ## Create a Group
This endpoint creates or updates a Group. This endpoint creates or updates a Group.

View file

@ -70,6 +70,12 @@ _additional_ capabilities and not a replacement for the policies on the token.
To know the full set of capabilities of the token with an associated entity To know the full set of capabilities of the token with an associated entity
identifier, the policies on the token should be taken into account. identifier, the policies on the token should be taken into account.
~> **NOTE:** Be careful in granting permissions to non-readonly identity endpoints.
If a user can modify an entity, they can grant it additional privileges through
policies. If a user can modify an alias they can login with, they can bind it to
an entity with higher privileges. If a user can modify group membership, they
can add their entity to a group with higher privileges.
### Mount Bound Aliases ### Mount Bound Aliases
Vault supports multiple authentication backends and also allows enabling the Vault supports multiple authentication backends and also allows enabling the