Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add documentation for DR reindex endpoint #21446

Merged
merged 4 commits into from
Jul 7, 2023
Merged

Add documentation for DR reindex endpoint #21446

merged 4 commits into from
Jul 7, 2023
+53 −0

Conversation

jasonodonnell
Copy link
Contributor

@jasonodonnell jasonodonnell commented Jun 23, 2023
edited
Loading

The sys/replication/reindex endpoint doesn't work with DR so I've documented the correct endpoint.

@jasonodonnell jasonodonnell requested a review from a team as a code owner June 23, 2023 20:10
@jasonodonnell jasonodonnell enabled auto-merge (squash) June 23, 2023 20:11
@jasonodonnell jasonodonnell disabled auto-merge June 23, 2023 20:11
@maxb
Copy link
Contributor

maxb commented Jun 24, 2023

I'm no longer with an employer that maintains an Enterprise subscription, so I'm unable to check this myself, but recently I flagged some inconsistencies between the list of reindex-related sudo/root-protected paths in the code (the sudo/root-protection list is in the OSS repo) and the documentation.

#20669 (comment)

At the time, it was implied that sys/replication/reindex was the only reindex endpoint. Based on this PR now calling that into question, I suspect there is an error in the sudo/root-protection path list which results in DR reindex inconsistently not requiring sudo, whilst Performance reindex does. (The specific to DR reindex API path that is in the root protection patterns is sys/replication/dr/reindex rather than sys/replication/dr/secondary/reindex per this documentation update.)

Whilst you're looking at that, the root-protection list also contains sys/replication/performance/reindex which isn't in the documentation, and was also claimed to not exist in #20669 (comment)

I did wonder if this counted as a security bug that needed confidential reporting, but I figure the sudo requirement is a fairly minor additional layer - there's still no vulnerability unless users have been given access in ACL policies to invoke the operation, so on balance I felt it was OK to respond in context here.

@jasonodonnell
Copy link
Contributor Author

Hi @maxb!

At the time, it was implied that sys/replication/reindex was the only reindex endpoint. Based on this PR now calling that into question, I suspect there is an error in the sudo/root-protection path list which results in DR reindex inconsistently not requiring sudo, whilst Performance reindex does. (The specific to DR reindex API path that is in the root protection patterns is sys/replication/dr/reindex rather than sys/replication/dr/secondary/reindex per this documentation update.)

DR operation tokens, which is required for the DR, is treated as a special case. As far as I can tell, this is working as intended, but I'm looking into it more.

Whilst you're looking at that, the root-protection list also contains sys/replication/performance/reindex which isn't in the documentation, and was also claimed to not exist in #20669 (comment)

Thanks, I'll look into this!

@VioletHynes VioletHynes added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Jul 7, 2023
@jasonodonnell jasonodonnell merged commit 237b9f7 into main Jul 7, 2023
@jasonodonnell jasonodonnell deleted the docs/dr-reindex branch July 7, 2023 15:36
This was referenced Jul 7, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brianshumate brianshumate

@raskchanky raskchanky

@ncabatoff ncabatoff

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed pr/no-changelog pr/no-milestone
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jasonodonnell @maxb @brianshumate @VioletHynes