// , If one HashiCorp Vault Policy allows a capability, and another denies it, how does it decide which Policy to honor?

// , HashiCorp Vault is an open source tool for secrets management.

I’m using it for this purpose, and have come across a minor issue. I seemingly cannot deny access to a specific API path.

I’ve tested this on 2 different Vault clusters. And it seems like I can’t deny access to the “sys/leases/lookup” path.

Do “deny” capabilities trump the parts of policies that give explicit capabilities on a path?

It seems that that’s not the case, since the capabilities from the default policy are being favored over those in my “deny-leases” policy.

The default policy allows lease lookup:

# Allow looking up lease properties. This requires knowing the lease ID ahead # of time and does not divulge any sensitive information. path "sys/leases/lookup" {     capabilities = ["update"] } 

And my creatively named “deny-leases” policy, well, you might say that it doesn’t allow lease lookup:

~ | 👾 vault policy read deny-leases  path "sys/leases*" {   capabilities = ["deny"]   } 

Let’s make ’em fight!

~ | 👾 vault token create -policy=deny-leases Key Value --- ----- token s.10yrKnAdsBaxTErxXxXvAuLt token_accessor 2c8beef0kPVLuSjtSsStONgs token_duration 768h token_renewable true token_policies ["default" "deny-leases"] identity_policies [] policies ["default" "deny-leases"] ~ | 👾 export VAULT_TOKEN=s.10yrKnAdsBaxTErxXxXvAuLt ~ | 👾 curl --silent --header "X-Vault-Token: $  {VAULT_TOKEN}" --data '{"lease_id": "auth/userpass/login/heyitsme/deadbeefdeadbeef85cbd6edf586527d824e09560987654321123817e96234e93"}' --request PUT "$  {VAULT_ADDR}/v1/sys/leases/lookup" | jq  {   "request_id": "f98e2444-357b-bcof-feef-74b58443feef",   "lease_id": "",   "renewable": false,   "lease_duration": 0,   "data": {   "expire_time": "2019-01-21T17:03:41.72395079-05:00",   "id": "auth/userpass/login/heyitsme/deadbeefdeadbeef85cbd6edf586527d824e09560987654321123817e96234e93",   "issue_time": "2018-12-20T17:03:41.72395019-05:00",   "last_renewal": null,   "renewable": true,   "ttl": 1049229   },   "wrap_info": null,   "warnings": null,   "auth": null  }  ~ | 👾 

Looks like the default policy “wins”, here, because its explicit allowing of that capability overrode the explicit denial in the deny-leases policy.

How does Vault decide which policy “wins”, and how would I restrict access to the lease lookup?

Is there an algorithm to decide if a word is in a finitely generated subgroup of a free group?


Let $ S$ be a finite set and $ F$ is the free group on that set. Is there an algorithm which takes as input a sequence of $ w,w_1,\ldots,w_k\in F$ and decides whether $ w\in \langle w_1,\ldots,w_k\rangle$ ?

This question keeps appearing in some of my work. My intuition is that this has been solved somewhere. It seems very related to the Nielsen-Schrier theorem and, to my understanding, Nielsen’s proof of this theorem gave an algorithm for finding a free generating set for any finitely generated subgroup of a free group – which is very closely related to this problem. I also have found various literature referring to this as a “generalized word problem” and various undecidability results relating to the problem in general – but, even though nothing suggests that this is undecidable for a free group, I’ve not come across any algorithm for deciding it.

How specific does a Scrying target’s knowledge of the casting have to be to decide to fail?

After reading this question, I remembered an issue I’ve had with the Scrying spell for some time. Specifically, the spell states:

If a target knows you’re casting this spell, it can fail the saving throw voluntarily if it wants to be observed.

How detailed does the target have to know? Is it enough to say “I’ll scry on you sometime in the next year”, or does it have to be as detailed as “on the 23rd Oct 1491 at 12:31:09, I will scry on you”?
If it isn’t the latter, the target would either have to notice something when it’s scryed upon, or alternatively decide to fail all scrying saves against scrying made by you.

How specific does the target’s knowledge of your casting have to be, then?

Can someone decide to be hit?

In this question, I asked about whether a character could willingly not use their shield or Dex bonus on certain attacks due to wanting to be hit. This raises the greater question-

Can someone decide to be hit?

The question was answered here, but it is for 4e, and I am asking about 5e. This question is assuming that a hostile enemy is making an attack roll against a PC, and the PC in question wants to be hit by the attack.

liferye you decide on which funding will help your cash

liferye you decide on which funding will help your cash grow. but, if you sign on for an HSA, excessive Deductible health Plans are required in adjunct to this kind of insurance plan. excessive Deductible fitness Plans – additionally called Catastrophic medical insurance coverage. it's far an inexpensive health insurance plan which is enabled handiest after a excessive deductible is met of at least $ 1,000 for an character rate and $ 2,000 for own…

liferye you decide on which funding will help your cash