Error: "child policies must be subset of parent"

[itman53]

Intro:

I am new to using OpenBao and I have never posted anything on github or on OpenBao. So please forgive me if I make mistakes or if I'm using this Q&A section in an incorrect manner.
I'm trying to use OpenBao in a python project I'm developing to keep and access secrets in a secure way.

Problem:

I am trying to create a token with a policy that is meant to be a subset of another policy. I'm attempting to do this via the API which I'm accessing using curl. Here is the curl command I'm using:

curl --cacert /opt/openbao/tls/ca.crt -X POST  -H "Authorization: Bearer <parent_token>" \
 -H "Content-Type: application/json" \
 -d '{"policies": ["techrel-reader"], "ttl": "72h", "renewable": true}'  \
 https://localhost:8200/v1/auth/token/create

Here is the error response I am getting:

{
  "errors": [
    "child policies must be subset of parent"
  ]
}

Policies I'm using:

techrel-machine-manager.hcl

# Allow all actions on path "auth/token/create" (create a token)
path "auth/token/create" {
  capabilities = ["read", "list", "create", "update", "patch", "delete"]
}
# Allow all actions on path "auth/token/create-orphan" (create an orphan token)
path "auth/token/create-orphan" {
  capabilities = ["read", "list", "create", "update", "patch", "delete"]
}
#Allow all actions on path "auth/token/lookup-self" (token looks up its own token)
path "auth/token/lookup-self" {
  capabilities = ["read", "list"]
}
# Allow all actions on path "postgres/+/*"; covers "postgres/techrel_db/config" (look up key-value info about PostgreSQL); using "+" covers any DB name
path "postgres/+/*" {
  capabilities = ["read", "list", "create", "update", "patch", "delete"]
}
# Allow all actions on path path "postgres/+/roles/*"  (look up key-value for roles in a PostgreSQL DB);  using "+" covers any DB name
path "postgres/+/roles/*" {
  capabilities = ["read", "list", "create", "update", "patch", "delete"]
}

techrel-reader.hcl

# Allow read & list actions on path "auth/token/create" (create a token)
path "auth/token/create" {
  capabilities = ["read", "list"]
}
# Allow read & list actions on path "auth/token/create-orphan" (create an orphan token)
path "auth/token/create-orphan" {
  capabilities = ["read", "list"]
}
#Allow read & list actions on path "auth/token/lookup-self" (token looks up its own token)
path "auth/token/lookup-self" {
  capabilities = ["read", "list"]
}
# Allow read & list actions on path "postgres/+/*"; covers "postgres/techrel_db/config" (look up key-value info about PostgreSQL); using "+" covers any DB name
path "postgres/+/*" {
  capabilities = ["read", "list"]
}
# Allow read & list actions on path "postgres/+/roles/*"  (look up key-value for roles in a PostgreSQL DB);  using "+" covers all DB names
path "postgres/+/roles/*" {
  capabilities = ["read", "list"]
}

Reproduce the problem:

1. Define the techrel-machine-manager policy on your system.
2. Define the techrel-reader policy on your system.
3. Create a token using the techrel-machine-manager policy. This token is created with root as the parent. I'm using a API call via curl that looks like this to do this.

curl --cacert /opt/openbao/tls/ca.crt -X POST -H "Authorization: Bearer <root_token>" \
 -H "Content-Type: application/json" \
 -d '{"policies": ["`techrel-machine-manager"], "ttl": "72h", "renewable": true}' \
 https://localhost:8200/v1/auth/

4. Save the token somewhere as it will be used in the next step. I'll refer to this token as <machine_mgr_token>
5. Try to create a new token use the <machine_mgr_token> as the parent.

curl --cacert /opt/openbao/tls/ca.crt -X POST -H "Authorization: Bearer <machine_mgr_token>" \
 -H "Content-Type: application/json" \
 -d '{"policies": ["techrel-reader"], "ttl": "72h", "renewable": true}' \
 https://localhost:8200/v1/auth/token/create

This command should produce the "child policies must be subset of parent" error.

My temporary workaround this problem:

I order to continue moving forward on my project, I have define a token that has the root policy. Then I'm using that token to define a child token that uses the techrel-reader policy. I think this will open my system to security issues since I'll have a token being used in my python code that uses this machine_mgr_token token.

Possible bug:

I am a programmer by profession and training but I do not know the go language.
I did look up the string "child policies must be subset of parent" in the source code for OpenBao. I found 2 locations where it is used:

• vault/token_store.go
  In this case, it is in a block of code that looks like this:

if !strutil.StrListSubset(sanitizedParentPolicies, sanitizedInputPolicies) {
    return logical.ErrorResponse("child policies must be subset of parent"), logical.ErrInvalidRequest
}

• vault/token_store_test.go
  In this case, it is in a block of code that looks like this:

if resp.Data["error"] != "child policies must be subset of parent" {
    t.Fatalf("bad: %#v", resp)
}

Since I don't know go, I couldn't follow the logic any further. But applying the principles from other programming languages that I do know, it appears as if logic in vault/token_store.go is looking a the capabilities collection/array and comparing the subset (the child policy) with the parent policy. Give the way I wrote the policies, I don't see why I should be getting an error. That's why I suggest it could be a bug.

My use case:

What I'm trying to accomplish with the techrel-machine-manager policy is to create authority to provide a full range of functionality to for postgres and auth/token paths. A token with this policy would fulfill an administrative role by creating tokens for users that have the techrel-reader policy. Users with a token with the techrel-reader policy would be database users and they would use the secrets in the postgre path to connect to the DB & to get their DB role name.

Improved error message

From my point of view, the error message is extremely unhelpful. I would like to see a change in the code to provide the context of the error to help the user figure out how to fix the failing policy.

Other possible causes

Since I'm so new to OpenBao, it could by my own ignorance of how policies work. I've tried my best to figure out how they work but I found the documentation hard to understand.

Please help

I would appreciate any help that anyone can offer in helping me resolve this issue. it-man at mailfwdr.com

[cipherboy]

@itman53 Hmm, I think this error message is confusing and I'd definitely welcome a PR to clarify it.

I believe it is saying that, the list of policy names on the child token should be a subset of the list of policy names on the parent. So you'd have to add the techrel-reader policy to the parent token for it to work.

(That is, there is no logic which says whether a given policy is a direct subset of another policy, we merely compare names as you found, and this is expected.)

---

That said, I rarely find this type of direct token creation to quite be the right solution. What was your end to end use case here and auth flow here?

[itman53]

cipherboy,

Thanks for your reply. I have updated my original post to reflect my use case. I hope that statement is clear enough.

I understand, in general what the message is trying to say. What I don't understand (can't understand because the error message is not specific enough about where the problem lies), is how to fix the problem.

You said that to fix the problem I had to:

"So you'd have to add the techrel-reader policy to the parent token for it to work."

There in lies my problem. I guess I have no idea how to accomplish this. I worked with ChatGPT for a couple of days trying to resolve this problem and it recommended adding this statement allowed_policies = ["techrel-reader"] to every path in the techrel-machine-manager policy. As far as I can tell the allowed_policies keyword is not supported in OpenBao (I got an error when I tried to update the policy with this statement). So if you can tell me how to accomplish what you suggested that should solve my problem.

I appreciate your help.

[cipherboy]

@itman53 Not quite. In step 3 above:

curl --cacert /opt/openbao/tls/ca.crt -X POST -H "Authorization: Bearer <root_token>" \
 -H "Content-Type: application/json" \
 -d '{"policies": ["`techrel-machine-manager"], "ttl": "72h", "renewable": true}' \
 https://localhost:8200/v1/auth/

(Editor: is this path truncated?)

You'd update policies to include two policies:

curl --cacert /opt/openbao/tls/ca.crt -X POST -H "Authorization: Bearer <root_token>" \
 -H "Content-Type: application/json" \
 -d '{"policies": ["`techrel-machine-manager","techrel-reader"], "ttl": "72h", "renewable": true}' \
 https://localhost:8200/v1/auth/

Then this token can create new tokens with just the reader policy.

[itman53]

ciperboy,

Thanks for the reply.

First a comment, the URLs you used in the 2 curl commands weren't complete. They gave me an error message "cannot write to a path ending in '/'". I fixed this error by adding "token/create" to the end of the URL.

At first I didn't understand what you were suggesting. If I understand you, you are saying to use the 2nd curl command you provided to create the admin type of token (I name it machineAdmin). Then use the machineAdmin token to authorize (thus becoming the parent) creation a token with only the "techrel-reader" policy (I'll call this a a dbUser token. I tested this concept and it was able to create a token that only hadthe "techrel-reader" policy .

So, this seems to resolve my issue. Thank you so much for your help. I doubt I would have thought about this solution on my own. It would be great if the OpenBao documentation explained this concept.

If I have further problems (like the dbUser token can't do everything I want), then I'll post more on this thread.