Vault 1.15.2 - "Permanantly delete" feature no more working. Popin blinking and capabilities self not returning correct capabilities

[ypereirareis]

Hello and thanks for the awesome tool that Vault is !

Describe the bug

• Migration from Vault version 1.12.1 to 1.15.2 (deployed on k8s with helm chart, 0.23.0 to 0.27.0)
• Using OIDC auth method.
• Before the migration, a user was allowed to create secrets and then "permanently delete" them thanks to popin at the end of the secret line.
• Right now in version 1.15.2, without any update on secrets nor policies, the same action is no more possible and the small popin opening to do this action is kind of blinking showing all options then remove everything but "Details" in the popin.
• A few ajax requests sent when opening this popin are returning 403 errors and capabilities-self request seems to no more be the same. Only having "list" capabilities instead of "create", "read", "update", "list", "delete","patch". and full path is strange kv/data/test-delete, seems to be a missing part ...namespaces/links-management/...:

"kv/data/test-delete": [
        "list",
    ],
    "capabilities": [
        "list",
    ],

To Reproduce
Steps to reproduce the behavior:

• Policies on links-management (/ui/vault/policy/acl/links-management):

path "kv/data/namespaces/links-management/*" {
  capabilities = ["create", "read", "update", "list", "delete"]
}

path "kv/delete/namespaces/links-management/*" {
  capabilities = ["update"]
}

path "kv/undelete/namespaces/links-management/*" {
  capabilities = ["update"]
}

path "kv/destroy/namespaces/links-management/*" {
  capabilities = ["update"]
}

path "kv/metadata/namespaces/links-management/*" {
  capabilities = ["list", "read", "delete"]
}

path "kv/*" {
  capabilities = ["list"]
}

1. Open the UI
2. Create a secrets in path namespaces/links-management/test-delete
3. Go back to previous page and try to "permanently delete" the create secret.

Expected behavior

• Path of secret returned by capabilities-self shloud be "kv/data/namespaces/links-management/test-delete" instead of "kv/data/test-delete"`

MAYBE related to this issue: #24281

• The popin should show all options and should allow to "permanently delete" this secret.
  

Environment:

• Vault Server Version (retrieve with vault status):

/ $ vault status
Key                      Value
---                      -----
Recovery Seal Type       ..........................;
Initialized              true
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  1.15.2
Build Date               2023-11-06T11:33:28Z
Storage Type             consul
Cluster Name             vault-cluster-........................
Cluster ID               0271d.......................................;4c02
HA Enabled               true
HA Cluster               https://...............
HA Mode                  standby
Active Node Address      http://................................;

• Vault CLI Version (retrieve with vault version):

/ $ vault version
Vault v1.15.2 (cf1b5cafa047bc8e4a3f93444fcb4011593b92cb), built 2023-11-06T11:33:28Z

• Server Operating System/Architecture:

Vault version 1.15.2 (deployed on k8s with helm chart, 0.23.0 to 0.27.0)

Additional context
Regarding the "incomplete" path of secret returning in capabilities-self ajax request, can be related to this issue: #24281
Need to wait for the fixed version to be available in Helm repo ?

Thanks a lot.

[ypereirareis]

Hello again,

my issue is a duplicate of #24130 sorry.

Do you know when version 1.15.5 will be released and available in Helm repo ?

Thanks!

[hashishaw]

Closed by #24404

@ypereirareis it looks like we released 1.16.1 vault (which also has this fix) with helm 0.28.0 on April 8, 2024. Thanks!