Token created with orphan/no_parent does not display as orphan

[VinayMadyalkar]

With reference to the issue : Token backend documentation inconsistencies

I try creating an "orphan" token from the command line in the following way:

C:\vault-Insecure>vault token-create -ttl="60m" -orphan=true -role=test-role
Key             Value
token           a75740e4-74d8-58fb-69fd-a54b75630a98
token_accessor  efd16586-a663-0818-aaca-f00c24980c25
token_duration  3600
token_renewable true
token_policies  [test-policy default]

C:\vault-Insecure>set VAULT_TOKEN=a75740e4-74d8-58fb-69fd-a54b75630a98

C:\Consul\vault-Insecure>vault token-lookup
Key             Value
accessor        efd16586-a663-0818-aaca-f00c24980c25
creation_time   1.464343043e+09
creation_ttl    3600
display_name    token
id              a75740e4-74d8-58fb-69fd-a54b75630a98
meta            <nil>
num_uses        0
orphan          false
path            auth/token/create/test-role
policies        [test-policy default]
role            test-role
ttl             3576 

I try to create a "orphan" token from the REST API in the following way:
http://localhost:8200/v1/auth/token/create/test-role
Header

 X-Vault-Token: 3803fd13-d07d-353d-3bc1-941b2b7ccbd3
Content-Type: Content-Type: application/json

Body

{
    "allowed_policies" : "test-policy",
    "no_parent" : true,
    "period" : "72h"
}

Response: 200 OK

{
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "warnings": null,
  "auth": {
    "client_token": "12a1b640-ebf9-d99f-0e5d-6c44b3f05449",
    "accessor": "54259469-2810-087f-9e68-6b9433681e67",
    "policies": [
      "test-policy",
      "default"
    ],
    "metadata": null,
    "lease_duration": 2592000,
    "renewable": true
  }
}

Then I do a "lookup-self" on that token:

http://localhost:8200/v1/auth/token/lookup-self
X-Vault-Token: 12a1b640-ebf9-d99f-0e5d-6c44b3f05449
200 OK
{
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "accessor": "54259469-2810-087f-9e68-6b9433681e67",
    "creation_time": 1464344132,
    "creation_ttl": 2592000,
    "display_name": "token",
    "id": "12a1b640-ebf9-d99f-0e5d-6c44b3f05449",
    "meta": null,
    "num_uses": 0,
    "orphan": false,
    "path": "auth/token/create/test-role",
    "policies": [
      "test-policy",
      "default"
    ],
    "role": "test-role",
    "ttl": 2591974
  },
  "warnings": null,
  "auth": null
}

In both the above cases, I see that "orphan/no_parent" is set to 'false' which is incorrect.
This issue was found on v0.5.2 of Vault.
This looks like a display bug because, I revoked the "root" vault token, but was able to read secret data stored in Vault with the newly created token.

Additional info :
I am creating an orphan token using the REST API:

http://localhost:8200/v1/auth/token/create-orphan
{
   "ttl":"720h",
   "num_uses": 0,
   "policies": ["test-policy"]
}

Token gets created, and lookup on the created token yields the following result:
{
"lease_id":"",
"renewable":false,
"lease_duration":0,
    "data": {
     "accessor":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
     "creation_time":1459952118,
     "creation_ttl":2592000,
     "display_name":"token",
     "id":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
     "meta":null,
     "num_uses":0,
     "orphan":true,
     "path":"auth/token/create",
     "policies":["default","test-policy"],
     "role":"test-role",
     "ttl":0
     },
     "warnings":null,
     "auth":null
}

Observe that token created with this REST API has "orphan":true.

[jefferai]

Thanks for reporting! As you noted this is a display bug; duplicate of #1401 / #1256 and is fixed already in master.

[VinayMadyalkar]

Cool, when should we expect Vault v0.5.3 to be out?