scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix forwarding on token create on perf standby when an alias is created (#21100)

Browse Source 
* Fix forwarding on token create on perf stanby when an alias is created

* Changelog entry

* Fix merge issues in docs

* Fix typo
This commit is contained in:
Paul Banks
2023-06-12 15:01:18 +01:00
committed by GitHub
parent 27621e05d6
commit f2887a2535
5 changed files with 39 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
changelog/21100.txt Normal file
View File

@@ -0,0 +1,4 @@
```release-note:bug
replication (enterprise): Fix regression causing token creation against a role
with a new entity alias to be incorrectly forwarded from perf standbys.
```

14
vault/token_store.go
View File

@@ -2872,10 +2872,20 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
MountType: mountValidationResp.Type, MountType: mountValidationResp.Type,
} }
// Create or fetch entity from entity alias // Create or fetch entity from entity alias. Note that we might be on a perf
// standby so a create would return a ReadOnly error which would cause an
// RPC-based redirect. That path doesn't register leases since the code that
// calls RegisterAuth is in the http layer... So be careful to catch and
// handle readonly ourselves.
entity, _, err := ts.core.identityStore.CreateOrFetchEntity(ctx, alias) entity, _, err := ts.core.identityStore.CreateOrFetchEntity(ctx, alias)
if err != nil { if err != nil {
return nil, err auth := &logical.Auth{
Alias: alias,
}
entity, _, err = possiblyForwardAliasCreation(ctx, ts.core, err, auth, entity)
if err != nil {
return nil, err
}
} }
if entity == nil { if entity == nil {
return nil, errors.New("failed to create or fetch entity from given entity alias") return nil, errors.New("failed to create or fetch entity from given entity alias")

2
website/content/docs/release-notes/1.13.0.mdx
View File

@@ -115,6 +115,8 @@ Refer to this [Knowledge Base article](https://support.hashicorp.com/hc/en-us/ar
The fix for this UI issue is coming in the Vault 1.13.1 release. The fix for this UI issue is coming in the Vault 1.13.1 release.
@include 'perf-standby-token-create-forwarding-failure.mdx'
## Feature Deprecations and EOL ## Feature Deprecations and EOL
Please refer to the [Deprecation Plans and Notice](/vault/docs/deprecation) page Please refer to the [Deprecation Plans and Notice](/vault/docs/deprecation) page

2
website/content/docs/upgrading/upgrade-to-1.13.x.mdx
View File

@@ -155,3 +155,5 @@ flag for [PKI roles](/vault/api-docs/secret/pki#createupdate-role).
#### Impacted Versions #### Impacted Versions
Affects Vault 1.13.0+ Affects Vault 1.13.0+
@include 'perf-standby-token-create-forwarding-failure.mdx'

19
website/content/partials/perf-standby-token-create-forwarding-failure.mdx Normal file
View File

@@ -0,0 +1,19 @@
### Token creation with a new entity alias could silently fail
A regression caused token creation requests under specific circumstances to be
forwarded from perf standbys (Enterprise only) to the active node incorrectly.
They would appear to succeed, however no lease was created. The token would then
be revoked on first use causing a 403 error.
This only happened when all of the following conditions were met:
- the token is being created against a role
- the request specifies an entity alias which has never been used before with
the same role (for example for a brand new role or a unique alias)
- the request happens to be made to a perf standby rather than the active node
Retrying token creation after the affected token is rejected would work since
the entity alias has already been created.
#### Affected Versions
Affects Vault 1.13.0 to 1.13.3. Fixed in 1.13.4.