You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR extends KVv2's key metadata field custom_metadata to the CreateOperation, ReadOperation, and PatchOperation responses for the /<mount>/data/:path endpoint. Extending this field to other endpoints allows for better auditing capability.
There is an associated implicit change in ACL semantics in that the field is available to the data endpoint independent of the calling token's ACLs (i.e. read access to /<mount>/metadata/:path). This concept has been mentioned in a separate docs PR.
Design of Change
The CreateOperation, ReadOperation, and PatchOperation handlers already access the secret's key metadata. The field will simply be added to the logical.Response for these handlers. It should also be noted that this field will automatically be included in the CLI output and has been verified in Vault PR #12907.
There is an associated implicit change in ACL semantics in that the field is available to the data endpoint independent of the calling token's ACLs (i.e. read access to //metadata/:path).
I'm curious if this is by design or an unavoidable side effect of something else. Are customers likely to be surprised if they issue a token that does not have read access to the metadata endpoint but find metadata present in the data response?
I'm curious if this is by design or an unavoidable side effect of something else. Are customers likely to be surprised if they issue a token that does not have read access to the metadata endpoint but find metadata present in the data response?
@raskchanky, this was discussed internally and it was determined that there wasn't a big security concern of providing this information as custom_metadata contains less sensitive information than the secret itself. We did discuss the potential for configuring the backend to enable/disable this functionality but will not be implementing anything like that at this time.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR extends KVv2's key metadata field
custom_metadatato theCreateOperation,ReadOperation, andPatchOperationresponses for the/<mount>/data/:pathendpoint. Extending this field to other endpoints allows for better auditing capability.There is an associated implicit change in ACL semantics in that the field is available to the data endpoint independent of the calling token's ACLs (i.e.
readaccess to/<mount>/metadata/:path). This concept has been mentioned in a separate docs PR.Design of Change
The
CreateOperation,ReadOperation, andPatchOperationhandlers already access the secret's key metadata. The field will simply be added to thelogical.Responsefor these handlers. It should also be noted that this field will automatically be included in the CLI output and has been verified in Vault PR #12907.Related Issues/Pull Requests