// , If one HashiCorp Vault Policy allows a capability, and another denies it, how does it decide which Policy to honor?

// , HashiCorp Vault is an open source tool for secrets management.

I’m using it for this purpose, and have come across a minor issue. I seemingly cannot deny access to a specific API path.

I’ve tested this on 2 different Vault clusters. And it seems like I can’t deny access to the “sys/leases/lookup” path.

Do “deny” capabilities trump the parts of policies that give explicit capabilities on a path?

It seems that that’s not the case, since the capabilities from the default policy are being favored over those in my “deny-leases” policy.

The default policy allows lease lookup:

# Allow looking up lease properties. This requires knowing the lease ID ahead # of time and does not divulge any sensitive information. path "sys/leases/lookup" {     capabilities = ["update"] } 

And my creatively named “deny-leases” policy, well, you might say that it doesn’t allow lease lookup:

~ | 👾 vault policy read deny-leases  path "sys/leases*" {   capabilities = ["deny"]   } 

Let’s make ’em fight!

~ | 👾 vault token create -policy=deny-leases Key Value --- ----- token s.10yrKnAdsBaxTErxXxXvAuLt token_accessor 2c8beef0kPVLuSjtSsStONgs token_duration 768h token_renewable true token_policies ["default" "deny-leases"] identity_policies [] policies ["default" "deny-leases"] ~ | 👾 export VAULT_TOKEN=s.10yrKnAdsBaxTErxXxXvAuLt ~ | 👾 curl --silent --header "X-Vault-Token: $  {VAULT_TOKEN}" --data '{"lease_id": "auth/userpass/login/heyitsme/deadbeefdeadbeef85cbd6edf586527d824e09560987654321123817e96234e93"}' --request PUT "$  {VAULT_ADDR}/v1/sys/leases/lookup" | jq  {   "request_id": "f98e2444-357b-bcof-feef-74b58443feef",   "lease_id": "",   "renewable": false,   "lease_duration": 0,   "data": {   "expire_time": "2019-01-21T17:03:41.72395079-05:00",   "id": "auth/userpass/login/heyitsme/deadbeefdeadbeef85cbd6edf586527d824e09560987654321123817e96234e93",   "issue_time": "2018-12-20T17:03:41.72395019-05:00",   "last_renewal": null,   "renewable": true,   "ttl": 1049229   },   "wrap_info": null,   "warnings": null,   "auth": null  }  ~ | 👾 

Looks like the default policy “wins”, here, because its explicit allowing of that capability overrode the explicit denial in the deny-leases policy.

How does Vault decide which policy “wins”, and how would I restrict access to the lease lookup?

The post // , If one HashiCorp Vault Policy allows a capability, and another denies it, how does it decide which Policy to honor? appeared first on 100% Private Proxies - Fast, Anonymous, Quality, Unlimited USA Private Proxy!.