Fix early rotation for roles with WALs, handle multiple WALs per role #28
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tomhjp
commented
Sep 10, 2021
tomhjp
commented
Sep 14, 2021
* Respect previous WAL's new password * Ensure only 1 WAL per role * Reinstate finding a WAL => rotate immediately * Remove patch check that would stop manual rotations when popping from the queue * Add a warning to manual rotation response when rotation not immediately successful * Remove re-storing of mount config when rotating unrelated roles * Discard all WALs with a previous rotation time of 0 * Remove deleted WAL IDs from queue items * Delete unused struct fields
tomhjp
force-pushed
the
fix-early-rotation-on-init
branch
from
19f32ab to
e3eb497
Compare
|
Rebased against |
calvn
reviewed
Sep 14, 2021
kalafut
reviewed
Sep 15, 2021
kalafut
reviewed
Sep 15, 2021
|
Can we consider renaming the function |
* Take exclusive lock before reading config * Validate input before creating output struct * Comment updates
calvn
approved these changes
Sep 15, 2021
briankassouf
approved these changes
Sep 16, 2021
| merr = multierror.Append(merr, err) | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
I wonder if we want to do the WAL delete before the role deletion, that way we have an avenue to retry the operation if the WAL cleanup fails?
There was a problem hiding this comment.
I tried implementing this, but I think I'd prefer to leave WAL cleanup as a best effort, because although it has its own consistency problems, the other order does as well. If we delete WALs before the role and fail, we'll need to push the item back onto the queue, which itself could fail. In practice though, deleting roles and WALs both rely on the same storage layer, so at least these partial failure scenarios should be very rare.
We could address the inconsistency of leaving WALs lying around fairly robustly by keying WALs on a UUID whose lifetime is attached to a role's storage entry instead of keying WALs on the role name. That obviously wouldn't be a backport candidate though. WDYT?
There was a problem hiding this comment.
Makes sense, let's leave it as is for now and revisit any improvements in a subsequent PR
tomhjp
added a commit
that referenced
this pull request
Sep 21, 2021
* Add more WAL logging * Fix early rotation for roles with WALs, handle multiple WALs per role * Respect previous WAL's new password * Ensure only 1 WAL per role * Add a warning to manual rotation response when rotation not immediately successful * Remove re-storing of mount config when rotating unrelated roles * Discard all WALs with a previous rotation time of 0 * Remove deleted WAL IDs from queue items * Delete unused struct fields * Switch from warning to error to correct HTTP status code from 400 -> 500 * Delete WALs on failed role creation or role deletion * Take exclusive lock before reading config * Fix manual rotate not respecting WAL ID * Add tests for processing of stored WALs * Remove unnecessary multierror * Add last check on newPassword
tomhjp
added a commit
that referenced
this pull request
Sep 21, 2021
* Add more WAL logging * Fix early rotation for roles with WALs, handle multiple WALs per role * Respect previous WAL's new password * Ensure only 1 WAL per role * Add a warning to manual rotation response when rotation not immediately successful * Remove re-storing of mount config when rotating unrelated roles * Discard all WALs with a previous rotation time of 0 * Remove deleted WAL IDs from queue items * Delete unused struct fields * Switch from warning to error to correct HTTP status code from 400 -> 500 * Delete WALs on failed role creation or role deletion * Take exclusive lock before reading config * Fix manual rotate not respecting WAL ID * Add tests for processing of stored WALs * Remove unnecessary multierror * Add last check on newPassword
tomhjp
added a commit
that referenced
this pull request
Sep 21, 2021
* Add more WAL logging * Fix early rotation for roles with WALs, handle multiple WALs per role * Respect previous WAL's new password * Ensure only 1 WAL per role * Add a warning to manual rotation response when rotation not immediately successful * Remove re-storing of mount config when rotating unrelated roles * Discard all WALs with a previous rotation time of 0 * Remove deleted WAL IDs from queue items * Delete unused struct fields * Switch from warning to error to correct HTTP status code from 400 -> 500 * Delete WALs on failed role creation or role deletion * Take exclusive lock before reading config * Fix manual rotate not respecting WAL ID * Add tests for processing of stored WALs * Remove unnecessary multierror * Add last check on newPassword
This was referenced Sep 21, 2021
calvn
pushed a commit
that referenced
this pull request
Sep 21, 2021
…#31) * Add more WAL logging * Fix early rotation for roles with WALs, handle multiple WALs per role * Respect previous WAL's new password * Ensure only 1 WAL per role * Add a warning to manual rotation response when rotation not immediately successful * Remove re-storing of mount config when rotating unrelated roles * Discard all WALs with a previous rotation time of 0 * Remove deleted WAL IDs from queue items * Delete unused struct fields * Switch from warning to error to correct HTTP status code from 400 -> 500 * Delete WALs on failed role creation or role deletion * Take exclusive lock before reading config * Fix manual rotate not respecting WAL ID * Add tests for processing of stored WALs * Remove unnecessary multierror * Add last check on newPassword
calvn
pushed a commit
that referenced
this pull request
Sep 21, 2021
…#30) * Add more WAL logging * Fix early rotation for roles with WALs, handle multiple WALs per role * Respect previous WAL's new password * Ensure only 1 WAL per role * Add a warning to manual rotation response when rotation not immediately successful * Remove re-storing of mount config when rotating unrelated roles * Discard all WALs with a previous rotation time of 0 * Remove deleted WAL IDs from queue items * Delete unused struct fields * Switch from warning to error to correct HTTP status code from 400 -> 500 * Delete WALs on failed role creation or role deletion * Take exclusive lock before reading config * Fix manual rotate not respecting WAL ID * Add tests for processing of stored WALs * Remove unnecessary multierror * Add last check on newPassword
calvn
pushed a commit
that referenced
this pull request
Sep 21, 2021
…#29) * Add more WAL logging * Fix early rotation for roles with WALs, handle multiple WALs per role * Respect previous WAL's new password * Ensure only 1 WAL per role * Add a warning to manual rotation response when rotation not immediately successful * Remove re-storing of mount config when rotating unrelated roles * Discard all WALs with a previous rotation time of 0 * Remove deleted WAL IDs from queue items * Delete unused struct fields * Switch from warning to error to correct HTTP status code from 400 -> 500 * Delete WALs on failed role creation or role deletion * Take exclusive lock before reading config * Fix manual rotate not respecting WAL ID * Add tests for processing of stored WALs * Remove unnecessary multierror * Add last check on newPassword
This was referenced Sep 21, 2021
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Early rotation of credentials
Bug and repro description
When the plugin finds a WAL for a role on initialisation, it (understandably) assumes it needs to rotate the password for the role ASAP. However, the plugin also assumes there can be at most 1 WAL per role at any time, and that's not true. We can have arbitrarily old and stale WALs in storage generated by failures during manual attempts to set up or rotate a role. These only ever get a chance to be cleaned up one at a time for each initialisation the plugin goes through. As a result, we can see early password rotations occur when the plugin runs initialisation.
To illustrate, here is a scenario to reproduce an early rotation:
vault write openldap/config \ url=ldaps://vault-ad-test.example.com\ binddn="CN=vault-ad-admin,CN=Users,DC=example,DC=com" \ bindpass="some-password" \ schema=ad # Ensure the AD server is down so that this command fails # No storage entry gets created for the role itself, but it will leave a WAL behind in storage for the role anyway vault write openldap/static-role/mary \ dn="CN=mary.smith,CN=Users,DC=example,DC=com" \ username="mary.smith" \ rotation_period="48h" # To observe the dangling WAL, check the sys/raw endpoint, which should return a single WAL MOUNT_UUID=$(vault read -format=json sys/mounts | jq -r '.data["openldap/"].uuid') vault list sys/raw/logical/$MOUNT_UUID/wal # Now ensure the AD server is up again # This command should succeed, in which case create and then quickly delete a WAL, but leave the original WAL untouched vault write openldap/static-role/mary \ dn="CN=mary.smith,CN=Users,DC=example,DC=com" \ username="mary.smith" \ rotation_period="48h" # Still 1 WAL vault list sys/raw/logical/$MOUNT_UUID/wal # Read the creds vault read openldap/static-cred/mary # Reload the plugin, and on initialisation, it will see the first WAL we created and immediately rotate the role, even though it's already been rotated very recently. vault write sys/plugins/reload/backend mounts=openldap/ # Read the creds again, and you should see they've been rotated vault read openldap/static-cred/mary # WAL has been cleared vault list sys/raw/logical/$MOUNT_UUID/walFix
There are a few meaningful changes: