Vault: default policy should be documented

Created on 11 Feb 2016  Â·  8Comments  Â·  Source: hashicorp/vault

and if it's already documented, it should be easier to find, 'cause I tried and failed. :-)

For 0.5.0, the default policy is here: https://github.com/hashicorp/vault/blob/v0.5.0/vault/policy_store.go#L209-L227

picture blalor

All 8 comments

It's "code as documentation" at the moment, which prevents the documentation from getting out of sync. I'm sort of torn on this, because I can understand why people want it in the documentation, but also am sensitive to documentation being out-of-date...which is sometimes worse than no documentation at all. Let me check if we have a policy either way internally.

jefferai picture jefferai on 11 Feb 2016

@jefferai - Are there any concerns about moving the HCL out of source code, and into a dedicated HCL file in the repo? I'm not familiar enough with golang's build system to know, but I naively assume there's an easy way to pull in a static string during compilation. At least that way, the docs could simply say "see the default policy file in the repo for specifics".

I'm sympathetic to avoiding docs falling out of date, but this is literally the default security policy. It needs to be easier to find.

tmaher picture tmaher on 12 Aug 2016
👍1

I'm open to a PR that does that, but I'd still recommend people examine the policy on their running server over the file. The default changes over time, but only takes effect for new installs; any Vault with an existing default policy is not overwritten.

jefferai picture jefferai on 13 Aug 2016

@jefferai is there any way to update the default policy?

jFrenetic picture jFrenetic on 7 Nov 2016

Yes, you simply write to it like any other policy.

jefferai picture jefferai on 7 Nov 2016
👍1

@jefferai I'd like to suggest making it more explicit in the CHANGELOG that the default policy has changed.
We've just been bit by this : new setup worked on fresh install on lab env, failed in prod. (same version 0.6.2 but of course prod isn't a fresh install)

I understand it wouldn't be really feasable/wanted to update the default policy automatically.

fcantournet picture fcantournet on 1 Dec 2016
👍1

Can we reopen this? I overwrote the default policy and have no way of getting it back.

mattis-haase picture mattis-haase on 9 Sep 2020

@mattis-haase You can retrieve (and re-write the default policy) by looking at the source in here.

The default policy has not changed since 2 years ago, but a more accurate alternative to ensure that the default is whatever your running Vault version has is to start a dev instance of Vault and retrieve the default policy:

› vault server -dev -dev-root-token-id=root
==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Go Version: go1.14.7
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.4.0
             Version Sha: 451a2a942cd1ce241815d5f59cb862e56b1a8a4a
....

# In a separate terminal:
› vault policy read default
...
calvn picture calvn on 9 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

weisinc picture weisinc  Â·  3Comments
Wonder007 picture Wonder007  Â·  3Comments
mfischer-zd picture mfischer-zd  Â·  3Comments
gtmtech picture gtmtech  Â·  3Comments
andris9 picture andris9  Â·  3Comments