Awx: HashiCorp Vault Secret Lookup: Test requires Sysadmin permissions

Created on 29 Oct 2019  路  6Comments  路  Source: ansible/awx
ISSUE TYPE
  • Bug Report
SUMMARY

The "HashiCorp Vault Secret Lookup" and "Hashicorp Vault Signed SSH" Credential Types provide both a test option which check if the parameters are working. In both cases the running the test case requires sysadmin permissions.

ENVIRONMENT
  • AWX version: 7.0.0
  • AWX install method: docker on linux
  • Ansible version: 2.7.11
  • Operating System: Debian 9
  • Web Browser: Firefox 69
STEPS TO REPRODUCE

Login to AWX as non-sysadmin user. In the AWX Webinterface go to "Credentials" and create a new Credential of Type "HashiCorp Vault Secret Lookup". Fill in "Server Url", "token" and if necessary CA Certificate. Then open the "Test external credential" form by clicking the "Test" Buttion. Fill in "path to secret" and "key name" then click "run". The Test will fail.

If you run the same steps as sysadmin user, then the test will succeed.

EXPECTED RESULTS

A user which is allowed to create a credential of type "Hashicorp Vault Secret Lookup" should be allowed to run the test.

ACTUAL RESULTS

Non-sysadmin users are not allowed to test "HashiCorp Vault Secret Lookup" Credentials.

api medium bug
Source
picture anxstj

All 6 comments

related: https://github.com/ansible/awx/pull/5095

ryanpetrello picture ryanpetrello on 29 Oct 2019

@nixocio assigned you because I remember you working on something related w/ credentials

kdelee picture kdelee on 10 Feb 2020
👍1

it was this https://github.com/ansible/tower/issues/3882

kdelee picture kdelee on 10 Feb 2020

If I give a user "Credential Admin" I can created the Hashicorp Vault and test this. A user that is only a member can not make a credential to test. Is that the expected behaviour?

@ryanpetrello @jakemcdermott @AlanCoding can you confirm what user permission is supposed to be used here?

nixocio picture nixocio on 12 Feb 2020

@nixocio You need _use_ permissions or better on a credential to use its test button.

Screenshot from 2020-02-12 16-39-29

There is one exception - if you haven't _saved_ a credential (e.g: you're on the 'NEW CREDENTIAL' form of a hashivault credential and haven't clicked save yet), then only admins may use the test button.

jakemcdermott picture jakemcdermott on 12 Feb 2020
👍1

Closed by https://github.com/ansible/tower-qa/pull/4707

nixocio picture nixocio on 19 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

worsco picture worsco  路  3Comments
IMOKURI picture IMOKURI  路  3Comments
grahamn-gr picture grahamn-gr  路  3Comments
cs35-owncloud picture cs35-owncloud  路  3Comments
icsm2017 picture icsm2017  路  4Comments