Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize policy behavior across backends #3324

Merged
merged 4 commits into from
Sep 13, 2017
Merged

Sanitize policy behavior across backends #3324

merged 4 commits into from
Sep 13, 2017

Conversation

jefferai
Copy link
Member

@jefferai jefferai commented Sep 12, 2017
edited
Loading

  • Ingress TypeCommaStringSlice
  • Read returns a slice
  • Default is not added to the saved set of policies, we let core do its
    thing

Fixes #3318
Fixes #3323

@jefferai jefferai added this to the 0.8.3 milestone Sep 12, 2017
@jefferai
Copy link
Member Author

Note, see #3318 -- I think we shouldn't encode 'default' in, as it will make it harder to support a no-default flag as a future enhancement. We should let the core do the right thing.

@jefferai
Sanitize policy behavior across backends
ef3c0e1 
* Ingress TypeCommaStringSlice
* Read returns a slice
* Default is not added to the saved set of policies, we let core do its
thing

Fixes #3318
@jefferai jefferai changed the title Ingress policies into aws role via TypeCommaStringSlice. Sanitize policy behavior across backends Sep 12, 2017
vishalnayak
vishalnayak previously approved these changes Sep 12, 2017
View reviewed changes
Copy link
Member

@vishalnayak vishalnayak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes (other than the expected test failures), LGTM!

chrishoffman
chrishoffman reviewed Sep 12, 2017
View reviewed changes
Copy link
Contributor

@chrishoffman chrishoffman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like these changes but am concerned about backwards compatibility with the returned data. Should this be moved to another field and break compatibility in a later release?

builtin/credential/cert/path_certs.go
@@ -133,7 +133,7 @@ func (b *backend) pathCertRead(
Data: map[string]interface{}{
"certificate": cert.Certificate,
"display_name": cert.DisplayName,
"policies": strings.Join(cert.Policies, ","),
"policies": cert.Policies,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any concern with the behavior change of the return here? I like this better but this does break compatibility.

builtin/credential/ldap/path_groups.go
@@ -86,7 +84,7 @@ func (b *backend) pathGroupRead(

return &logical.Response{
Data: map[string]interface{}{
"policies": strings.Join(group.Policies, ","),
"policies": group.Policies,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same backwards compatibility concerns as above.

builtin/credential/ldap/path_users.go
@@ -93,7 +93,7 @@ func (b *backend) pathUserRead(
return &logical.Response{
Data: map[string]interface{}{
"groups": strings.Join(user.Groups, ","),
"policies": strings.Join(user.Policies, ","),
"policies": user.Policies,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same backwards compatibility concerns as above.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it breaks compatibility. I'm inclined to just make the change though rather than move to another field. (As I mentioned in chat, we'd definitely note this in CHANGES.)

I don't think in most cases these lookup endpoints are used by non-humans (and humans can easily understand it either way), and for anyone trying to feed them from a read into a write, the writes now accept slices so that will still work.

@jefferai jefferai merged commit 2f6c2b8 into master Sep 13, 2017
@jefferai jefferai deleted the issue-3323 branch September 13, 2017 15:36
chrishoffman pushed a commit that referenced this pull request Sep 14, 2017
Merge remote-tracking branch 'oss/master' into generic-to-kv
f6aebc5 
* oss/master:
  changelog++
  update enterprise urls /docs/vault-enterprise -> /docs/enterprise (#3333)
  Fixed docs to reflect correct HTTP method for /sys/config/auditing endpoing (#3331)
  changelog++
  Change behavior of TTL in sign-intermediate (#3325)
  changelog++
  Sanitize policy behavior across backends (#3324)
  Fix typo in transit error
  remove token header from login samples (#3320)
  Fix navigation and prameters in the 'gcp' auth backend docs. (#3317)
  changelog++
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrishoffman chrishoffman chrishoffman left review comments

@vishalnayak vishalnayak vishalnayak left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.8.3
Development

Successfully merging this pull request may close these issues.
3 participants
@jefferai @chrishoffman @vishalnayak