scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 03:27:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

secrets/db: improves error logs for static role rotation (#22253)

Browse Source 
* secrets/db: improves error logs for static role rotation

* use logger.With to add incremental context

* adds changelog
This commit is contained in:
Austin Gebauer
2023-08-08 16:28:31 -07:00
committed by GitHub
parent f8dd46acb8
commit a70aaf24c0
2 changed files with 21 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
builtin/logical/database/rotation.go
View File

@@ -91,9 +91,7 @@ func (b *databaseBackend) populateQueue(ctx context.Context, s logical.Storage)
log.Warn("unable to delete WAL", "error", err, "WAL ID", walEntry.walID)
}
} else {
log.Info("found WAL for role",
"role", item.Key,
"WAL ID", walEntry.walID)
log.Info("found WAL for role", "role", item.Key, "WAL ID", walEntry.walID)
item.Value = walEntry.walID
item.Priority = time.Now().Unix()
}
@@ -190,39 +188,45 @@ func (b *databaseBackend) rotateCredential(ctx context.Context, s logical.Storag
return false
}
roleName := item.Key
logger := b.Logger().With("role", roleName)
// Grab the exclusive lock for this Role, to make sure we don't incur and
// writes during the rotation process
lock := locksutil.LockForKey(b.roleLocks, item.Key)
lock := locksutil.LockForKey(b.roleLocks, roleName)
lock.Lock()
defer lock.Unlock()
// Validate the role still exists
role, err := b.StaticRole(ctx, s, item.Key)
role, err := b.StaticRole(ctx, s, roleName)
if err != nil {
b.logger.Error("unable to load role", "role", item.Key, "error", err)
logger.Error("unable to load role", "error", err)
item.Priority = time.Now().Add(10 * time.Second).Unix()
if err := b.pushItem(item); err != nil {
b.logger.Error("unable to push item on to queue", "error", err)
logger.Error("unable to push item on to queue", "error", err)
}
return true
}
if role == nil {
b.logger.Warn("role not found", "role", item.Key, "error", err)
logger.Warn("role not found", "error", err)
return true
}
logger = logger.With("database", role.DBName)
// If "now" is less than the Item priority, then this item does not need to
// be rotated
if time.Now().Unix() < item.Priority {
if err := b.pushItem(item); err != nil {
b.logger.Error("unable to push item on to queue", "error", err)
logger.Error("unable to push item on to queue", "error", err)
}
// Break out of the for loop
return false
}
input := &setStaticAccountInput{
RoleName: item.Key,
RoleName: roleName,
Role: role,
}
@@ -234,7 +238,8 @@ func (b *databaseBackend) rotateCredential(ctx context.Context, s logical.Storag
resp, err := b.setStaticAccount(ctx, s, input)
if err != nil {
b.logger.Error("unable to rotate credentials in periodic function", "error", err)
logger.Error("unable to rotate credentials in periodic function", "error", err)
// Increment the priority enough so that the next call to this method
// likely will not attempt to rotate it, as a back-off of sorts
item.Priority = time.Now().Add(10 * time.Second).Unix()
@@ -245,7 +250,7 @@ func (b *databaseBackend) rotateCredential(ctx context.Context, s logical.Storag
}
if err := b.pushItem(item); err != nil {
b.logger.Error("unable to push item on to queue", "error", err)
logger.Error("unable to push item on to queue", "error", err)
}
// Go to next item
return true
@@ -262,7 +267,7 @@ func (b *databaseBackend) rotateCredential(ctx context.Context, s logical.Storag
nextRotation := lvr.Add(role.StaticAccount.RotationPeriod)
item.Priority = nextRotation.Unix()
if err := b.pushItem(item); err != nil {
b.logger.Warn("unable to push item on to queue", "error", err)
logger.Warn("unable to push item on to queue", "error", err)
}
return true
}