From c97c8687f44bc1114bfc34243a2fd0ad2c1b1e6d Mon Sep 17 00:00:00 2001 From: Pratyoy Mukhopadhyay <35388175+pmmukh@users.noreply.github.com> Date: Wed, 8 Dec 2021 13:52:51 -0800 Subject: [PATCH] [VAULT-3252] Add entity-alias behavior change to docs (#13370) * Add entity-alias behavior change to docs * Add upgrade note about entity-alias mapping change * Rename 1.7-9 upgrade pages, shuffle upgrade note position * Update website/content/partials/entity-alias-mapping.mdx Co-authored-by: Meggie * Add incorrect policy issue to the docs * Add example about entity-alias restriction Co-authored-by: Meggie --- website/content/docs/concepts/identity.mdx | 6 ++++-- .../{upgrade-to-1.7.0.mdx => upgrade-to-1.7.x.mdx} | 9 ++++++--- .../{upgrade-to-1.8.0.mdx => upgrade-to-1.8.x.mdx} | 9 ++++++--- .../{upgrade-to-1.9.0.mdx => upgrade-to-1.9.x.mdx} | 9 ++++++--- website/content/partials/entity-alias-mapping.mdx | 7 +++++++ website/data/docs-nav-data.json | 12 ++++++------ 6 files changed, 35 insertions(+), 17 deletions(-) rename website/content/docs/upgrading/{upgrade-to-1.7.0.mdx => upgrade-to-1.7.x.mdx} (91%) rename website/content/docs/upgrading/{upgrade-to-1.8.0.mdx => upgrade-to-1.8.x.mdx} (93%) rename website/content/docs/upgrading/{upgrade-to-1.9.0.mdx => upgrade-to-1.9.x.mdx} (95%) create mode 100644 website/content/partials/entity-alias-mapping.mdx diff --git a/website/content/docs/concepts/identity.mdx b/website/content/docs/concepts/identity.mdx index 53d05142d..51d47a8ac 100644 --- a/website/content/docs/concepts/identity.mdx +++ b/website/content/docs/concepts/identity.mdx @@ -20,11 +20,13 @@ Each user may have multiple accounts with various identity providers, and Vault supports many of those providers to authenticate with Vault. Vault Identity can tie authentications from various auth methods to a single representation. This representation of a consolidated identity is called an **Entity** and their corresponding accounts with authentication providers can be mapped as -**Aliases**. In essence, each entity is made up of zero or more aliases. +**Aliases**. In essence, each entity is made up of zero or more aliases. An entity cannot have more than one alias for +a particular authentication backend. For example, a user with accounts in both GitHub and LDAP can be mapped to a single entity in Vault with two aliases, one of type GitHub and one of type -LDAP. +LDAP. Note however, if both aliases are created on the same auth mount, say +a Github mount, both aliases cannot be mapped to the same entity. ![Entity overview](/img/vault-identity-doc-1.png) diff --git a/website/content/docs/upgrading/upgrade-to-1.7.0.mdx b/website/content/docs/upgrading/upgrade-to-1.7.x.mdx similarity index 91% rename from website/content/docs/upgrading/upgrade-to-1.7.0.mdx rename to website/content/docs/upgrading/upgrade-to-1.7.x.mdx index 07dfaf13f..23c8077d3 100644 --- a/website/content/docs/upgrading/upgrade-to-1.7.0.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.7.x.mdx @@ -1,15 +1,15 @@ --- layout: docs -page_title: Upgrading to Vault 1.7.0 - Guides +page_title: Upgrading to Vault 1.7.x - Guides description: |- This page contains the list of deprecations and important or breaking changes - for Vault 1.7.0. Please read it carefully. + for Vault 1.7.x. Please read it carefully. --- # Overview This page contains the list of deprecations and important or breaking changes -for Vault 1.7.0 compared to 1.6. Please read it carefully. +for Vault 1.7.x compared to 1.6. Please read it carefully. ## Barrier Key Auto-Rotation @@ -31,6 +31,8 @@ endpoint changes is available in the [AWS Auth API docs](/api-docs/auth/aws#depr @include 'alpine-314.mdx' +@include 'entity-alias-mapping.mdx' + ## Known Issues Due to the known issue, Transform Secrets Engine users are recommended to upgrade to version 1.7.0. @@ -48,3 +50,4 @@ Due to the known issue, Lease Count Quota users with DR Secondaries are recommen @include 'transform-upgrade.mdx' @include 'lease-count-quota-upgrade.mdx' + diff --git a/website/content/docs/upgrading/upgrade-to-1.8.0.mdx b/website/content/docs/upgrading/upgrade-to-1.8.x.mdx similarity index 93% rename from website/content/docs/upgrading/upgrade-to-1.8.0.mdx rename to website/content/docs/upgrading/upgrade-to-1.8.x.mdx index 4f7133b8b..5fd3f0fbe 100644 --- a/website/content/docs/upgrading/upgrade-to-1.8.0.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.8.x.mdx @@ -1,15 +1,15 @@ --- layout: docs -page_title: Upgrading to Vault 1.8.0 - Guides +page_title: Upgrading to Vault 1.8.x - Guides description: |- This page contains the list of deprecations and important or breaking changes - for Vault 1.8.0. Please read it carefully. + for Vault 1.8.x. Please read it carefully. --- # Overview This page contains the list of deprecations and important or breaking changes -for Vault 1.8.0 compared to 1.7. Please read it carefully. +for Vault 1.8.x compared to 1.7. Please read it carefully. ## License Enhancements @@ -40,6 +40,9 @@ Notes](https://golang.org/doc/go1.16) for full details. Of particular note: @include 'alpine-314.mdx' + +@include 'entity-alias-mapping.mdx' + ## Known Issues - MSSQL integrations (storage and secrets engine) will crash with a "panic: not implemented" error diff --git a/website/content/docs/upgrading/upgrade-to-1.9.0.mdx b/website/content/docs/upgrading/upgrade-to-1.9.x.mdx similarity index 95% rename from website/content/docs/upgrading/upgrade-to-1.9.0.mdx rename to website/content/docs/upgrading/upgrade-to-1.9.x.mdx index e4a11a0bc..ed70722ab 100644 --- a/website/content/docs/upgrading/upgrade-to-1.9.0.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.9.x.mdx @@ -1,15 +1,15 @@ --- layout: docs -page_title: Upgrading to Vault 1.9.0 - Guides +page_title: Upgrading to Vault 1.9.x - Guides description: |- This page contains the list of deprecations and important or breaking changes - for Vault 1.9.0. Please read it carefully. + for Vault 1.9.x. Please read it carefully. --- # Overview This page contains the list of deprecations and important or breaking changes -for Vault 1.9.0 compared to 1.8. Please read it carefully. +for Vault 1.9.x compared to 1.8. Please read it carefully. ## OIDC Provider @@ -56,6 +56,8 @@ To re-enable the old behavior, update the roles with a value of `"*"` to the `allowed_extensions` parameter allowing any/all extensions to be specified by clients. +@include 'entity-alias-mapping.mdx' + ## Deprecations ### HTTP Request Counter Deprecation @@ -92,3 +94,4 @@ Additionally, Go has begun doing automated cipher suite ordering and no longer respects the order of suites given in `tls_cipher_suites`. See [this blog post](https://go.dev/blog/tls-cipher-suites) for more information. + diff --git a/website/content/partials/entity-alias-mapping.mdx b/website/content/partials/entity-alias-mapping.mdx new file mode 100644 index 000000000..b8b3e4e37 --- /dev/null +++ b/website/content/partials/entity-alias-mapping.mdx @@ -0,0 +1,7 @@ +## Entity Alias mapping + +Previously, an entity in Vault could be mapped to multiple entity aliases on the same authentication backend. This +led to a potential security vulnerability (CVE-2021-43998), as ACL policies templated with alias information would match the first +alias created. Thus, tokens created from all aliases of the entity, will have access to the paths containing alias +metadata of the first alias due to templated policies being incorrectly applied. As a result, the mapping behavior was updated +such that an entity can only have one alias per authentication backend. This change exists in Vault 1.9.0+, 1.8.5+ and 1.7.6+. \ No newline at end of file diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 9acc95bd3..a85f89dcd 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -1470,16 +1470,16 @@ "path": "upgrading/plugins" }, { - "title": "Upgrade to 1.9.0", - "path": "upgrading/upgrade-to-1.9.0" + "title": "Upgrade to 1.9.x", + "path": "upgrading/upgrade-to-1.9.x" }, { - "title": "Upgrade to 1.8.0", - "path": "upgrading/upgrade-to-1.8.0" + "title": "Upgrade to 1.8.x", + "path": "upgrading/upgrade-to-1.8.x" }, { - "title": "Upgrade to 1.7.0", - "path": "upgrading/upgrade-to-1.7.0" + "title": "Upgrade to 1.7.x", + "path": "upgrading/upgrade-to-1.7.x" }, { "title": "Upgrade to 1.6.3",