Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418)

Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up. Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap.
2025-11-01 19:17:58 +00:00 · 2020-03-03 16:43:24 -05:00
parent 152b4a8447
commit 6c92f1e40b
3 changed files with 252 additions and 215 deletions
--- a/builtin/credential/approle/backend.go
+++ b/builtin/credential/approle/backend.go
@@ -3,7 +3,6 @@ package approle
 import (
 	"context"
 	"sync"
 	"time"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/consts"
@@ -57,8 +56,6 @@ type backend struct {
 	// secretIDListingLock is a dedicated lock for listing SecretIDAccessors
 	// for all the SecretIDs issued against an approle
 	secretIDListingLock sync.RWMutex
 	testTidyDelay time.Duration
 }
 func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
--- a/builtin/credential/approle/path_tidy_user_id.go
+++ b/builtin/credential/approle/path_tidy_user_id.go
@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/locksutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -39,9 +40,20 @@ func (b *backend) tidySecretID(ctx context.Context, req *logical.Request) (*logi
 		return resp, nil
 	}
-	s := req.Storage
+	go b.tidySecretIDinternal(req.Storage)
-	go func() {
+	resp := &logical.Response{}
 	resp.AddWarning("Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs.")
 	return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
 }
 type tidyHelperSecretIDAccessor struct {
 	secretIDAccessorStorageEntry
 	saltedSecretIDAccessor string
 }
 func (b *backend) tidySecretIDinternal(s logical.Storage) {
 	defer atomic.StoreUint32(b.tidySecretIDCASGuard, 0)
 	logger := b.Logger().Named("tidy")
@@ -49,35 +61,50 @@ func (b *backend) tidySecretID(ctx context.Context, req *logical.Request) (*logi
 	checkCount := 0
 	defer func() {
 			if b.testTidyDelay > 0 {
 		logger.Trace("done checking entries", "num_entries", checkCount)
 			}
 	}()
 	// Don't cancel when the original client request goes away
-		ctx = context.Background()
+	ctx := context.Background()
-		tidyFunc := func(secretIDPrefixToUse, accessorIDPrefixToUse string) error {
+	salt, err := b.Salt(ctx)
 			logger.Trace("listing role HMACs", "prefix", secretIDPrefixToUse)
 			roleNameHMACs, err := s.List(ctx, secretIDPrefixToUse)
 	if err != nil {
-				return err
+		logger.Error("error tidying secret IDs", "error", err)
 		return
 	}
 	tidyFunc := func(secretIDPrefixToUse, accessorIDPrefixToUse string) error {
 		logger.Trace("listing accessors", "prefix", accessorIDPrefixToUse)
 		// List all the accessors and add them all to a map
 		// These hashes are the result of salting the accessor id.
 		accessorHashes, err := s.List(ctx, accessorIDPrefixToUse)
 		if err != nil {
 			return err
 		}
-			accessorMap := make(map[string]bool, len(accessorHashes))
+		skipHashes := make(map[string]bool, len(accessorHashes))
 		accHashesByLockID := make([][]tidyHelperSecretIDAccessor, 256)
 		for _, accessorHash := range accessorHashes {
-				accessorMap[accessorHash] = true
+			var entry secretIDAccessorStorageEntry
 			entryIndex := accessorIDPrefixToUse + accessorHash
 			se, err := s.Get(ctx, entryIndex)
 			if err != nil {
 				return err
 			}
 			if se == nil {
 				continue
 			}
 			err = se.DecodeJSON(&entry)
 			if err != nil {
 				return err
 			}
-			time.Sleep(b.testTidyDelay)
+			lockIdx := locksutil.LockIndexForKey(entry.SecretIDHMAC)
 			accHashesByLockID[lockIdx] = append(accHashesByLockID[lockIdx], tidyHelperSecretIDAccessor{
 				secretIDAccessorStorageEntry: entry,
 				saltedSecretIDAccessor:       accessorHash,
 			})
 		}
 		secretIDCleanupFunc := func(secretIDHMAC, roleNameHMAC, secretIDPrefixToUse string) error {
 			checkCount++
@@ -135,19 +162,20 @@ func (b *backend) tidySecretID(ctx context.Context, req *logical.Request) (*logi
 				return nil
 			}
-				// At this point, the secret ID is not expired and is valid. Delete
+			// At this point, the secret ID is not expired and is valid. Flag
-				// the corresponding accessor from the accessorMap. This will leave
+			// the corresponding accessor as not needing attention.
-				// only the dangling accessors in the map which can then be cleaned
+			skipHashes[salt.SaltID(result.SecretIDAccessor)] = true
 				// up later.
 				salt, err := b.Salt(ctx)
 				if err != nil {
 					return err
 				}
 				delete(accessorMap, salt.SaltID(result.SecretIDAccessor))
 			return nil
 		}
 		logger.Trace("listing role HMACs", "prefix", secretIDPrefixToUse)
 		roleNameHMACs, err := s.List(ctx, secretIDPrefixToUse)
 		if err != nil {
 			return err
 		}
 		for _, roleNameHMAC := range roleNameHMACs {
 			logger.Trace("listing secret ID HMACs", "role_hmac", roleNameHMAC)
 			secretIDHMACs, err := s.List(ctx, fmt.Sprintf("%s%s", secretIDPrefixToUse, roleNameHMAC))
@@ -164,59 +192,55 @@ func (b *backend) tidySecretID(ctx context.Context, req *logical.Request) (*logi
 		// Accessor indexes were not getting cleaned up until 0.9.3. This is a fix
 		// to clean up the dangling accessor entries.
-			if len(accessorMap) > 0 {
+		if len(accessorHashes) > len(skipHashes) {
-				for _, lock := range b.secretIDLocks {
+			// There is some raciness here because we're querying secretids for
-					lock.Lock()
+			// roles without having a lock while doing so.  Because
-					defer lock.Unlock()
+			// accHashesByLockID was populated previously, at worst this may
-				}
+			// mean that we fail to clean up something we ought to.
-				for accessorHash, _ := range accessorMap {
+			var allSecretIDHMACs = make(map[string]struct{})
 					logger.Trace("found dangling accessor, verifying")
 					// Ideally, locking on accessors should be performed here too
 					// but for that, accessors are required in plaintext, which are
 					// not available. The code above helps but it may still be
 					// racy.
 					// ...
 					// Look up the secret again now that we have all the locks. The
 					// lock is held when writing accessor/secret so if we have the
 					// lock we know we're not in a
 					// wrote-accessor-but-not-yet-secret case, which can be racy.
 					var entry secretIDAccessorStorageEntry
 					entryIndex := accessorIDPrefixToUse + accessorHash
 					se, err := s.Get(ctx, entryIndex)
 					if err != nil {
 						return err
 					}
 					if se != nil {
 						err = se.DecodeJSON(&entry)
 						if err != nil {
 							return err
 						}
 						// The storage entry doesn't store the role ID, so we have
 						// to go about this the long way; fortunately we shouldn't
 						// actually hit this very often
 						var found bool
 					searchloop:
 			for _, roleNameHMAC := range roleNameHMACs {
-							secretIDHMACs, err := s.List(ctx, fmt.Sprintf("%s%s", secretIDPrefixToUse, roleNameHMAC))
+				secretIDHMACs, err := s.List(ctx, secretIDPrefixToUse+roleNameHMAC)
 				if err != nil {
 					return err
 				}
 				for _, v := range secretIDHMACs {
-								if v == entry.SecretIDHMAC {
+					allSecretIDHMACs[v] = struct{}{}
 									found = true
 									logger.Trace("accessor verified, not removing")
 									break searchloop
 				}
 			}
 			tidyEntries := func(entries []tidyHelperSecretIDAccessor) error {
 				for _, entry := range entries {
 					// Don't clean up accessor index entry if secretid cleanup func
 					// determined that it should stay.
 					if _, ok := skipHashes[entry.saltedSecretIDAccessor]; ok {
 						continue
 					}
-						if !found {
+
-							logger.Trace("could not verify dangling accessor, removing")
+					// Don't clean up accessor index entry if referenced in role.
-							err = s.Delete(ctx, entryIndex)
+					if _, ok := allSecretIDHMACs[entry.SecretIDHMAC]; ok {
-							if err != nil {
+						continue
 					}
 					if err := s.Delete(context.Background(), accessorIDPrefixToUse+entry.saltedSecretIDAccessor); err != nil {
 						return err
 					}
 				}
 				return nil
 			}
 			for lockIdx, entries := range accHashesByLockID {
 				// Ideally, locking on accessors should be performed here too
 				// but for that, accessors are required in plaintext, which are
 				// not available.
 				// ...
 				// The lock is held when writing accessor/secret so if we have
 				// the lock we know we're not in a
 				// wrote-accessor-but-not-yet-secret case, which can be racy.
 				b.secretIDLocks[lockIdx].Lock()
 				err = tidyEntries(entries)
 				b.secretIDLocks[lockIdx].Unlock()
 				if err != nil {
 					return err
 				}
 			}
 		}
@@ -224,7 +248,7 @@ func (b *backend) tidySecretID(ctx context.Context, req *logical.Request) (*logi
 		return nil
 	}
-		err := tidyFunc(secretIDPrefix, secretIDAccessorPrefix)
+	err = tidyFunc(secretIDPrefix, secretIDAccessorPrefix)
 	if err != nil {
 		logger.Error("error tidying global secret IDs", "error", err)
 		return
@@ -234,11 +258,6 @@ func (b *backend) tidySecretID(ctx context.Context, req *logical.Request) (*logi
 		logger.Error("error tidying local secret IDs", "error", err)
 		return
 	}
 	}()
 	resp := &logical.Response{}
 	resp.AddWarning("Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs.")
 	return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
 }
 // pathTidySecretIDUpdate is used to delete the expired SecretID entries
--- a/builtin/credential/approle/path_tidy_user_id_test.go
+++ b/builtin/credential/approle/path_tidy_user_id_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"sync"
 	"sync/atomic"
 	"testing"
 	"time"
@@ -91,8 +92,6 @@ func TestAppRole_TidyDanglingAccessors_RaceTest(t *testing.T) {
 	var err error
 	b, storage := createBackendWithStorage(t)
 	b.testTidyDelay = 300 * time.Millisecond
 	// Create a role
 	createRole(t, b, storage, "role1", "a,b,c")
@@ -109,14 +108,9 @@ func TestAppRole_TidyDanglingAccessors_RaceTest(t *testing.T) {
 	count := 1
 	wg := &sync.WaitGroup{}
-	now := time.Now()
+	start := time.Now()
-	started := false
+	for time.Now().Sub(start) < 10*time.Second {
-	for {
+		if time.Now().Sub(start) > 100*time.Millisecond && atomic.LoadUint32(b.tidySecretIDCASGuard) == 0 {
 		if time.Now().Sub(now) > 700*time.Millisecond {
 			break
 		}
 		if time.Now().Sub(now) > 100*time.Millisecond && !started {
 			started = true
 			_, err = b.tidySecretID(context.Background(), &logical.Request{
 				Storage: storage,
 			})
@@ -137,23 +131,50 @@ func TestAppRole_TidyDanglingAccessors_RaceTest(t *testing.T) {
 				t.Fatalf("err:%v resp:%#v", err, resp)
 			}
 		}()
 		count++
 	}
-	t.Logf("wrote %d entries", count)
+		entry, err := logical.StorageEntryJSON(
-
+			fmt.Sprintf("accessor/invalid%d", count),
-	wg.Wait()
+			&secretIDAccessorStorageEntry{
-	// Let tidy finish
+				SecretIDHMAC: "samplesecretidhmac",
-	time.Sleep(1 * time.Second)
+			},
-
+		)
-	// Run tidy again
+		err = storage.Put(context.Background(), entry)
 	_, err = b.tidySecretID(context.Background(), &logical.Request{
 		Storage: storage,
 	})
 		if err != nil {
 			t.Fatal(err)
 		}
-	time.Sleep(2 * time.Second)
+
 		count++
 		time.Sleep(100 * time.Microsecond)
 	}
 	logger := b.Logger().Named(t.Name())
 	logger.Info("wrote entries", "count", count)
 	wg.Wait()
 	// Let tidy finish
 	for atomic.LoadUint32(b.tidySecretIDCASGuard) != 0 {
 		time.Sleep(100 * time.Millisecond)
 	}
 	logger.Info("running tidy again")
 	// Run tidy again
 	secret, err := b.tidySecretID(context.Background(), &logical.Request{
 		Storage: storage,
 	})
 	if err != nil || len(secret.Warnings) > 0 {
 		t.Fatal(err, secret.Warnings)
 	}
 	// Wait for tidy to start
 	for atomic.LoadUint32(b.tidySecretIDCASGuard) == 0 {
 		time.Sleep(100 * time.Millisecond)
 	}
 	// Let tidy finish
 	for atomic.LoadUint32(b.tidySecretIDCASGuard) != 0 {
 		time.Sleep(100 * time.Millisecond)
 	}
 	accessorHashes, err := storage.List(context.Background(), "accessor/")
 	if err != nil {