Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leases Force Revoke Prefix errors are not ignored #8853

Closed
Lyr3x opened this issue Apr 27, 2020 · 3 comments · Fixed by #16930
Closed

Leases Force Revoke Prefix errors are not ignored #8853

Lyr3x opened this issue Apr 27, 2020 · 3 comments · Fixed by #16930
Labels
ui

Comments

@Lyr3x
Copy link

Lyr3x commented Apr 27, 2020
edited

Describe the bug
When trying to force revoke prefix leases via the WebUI, errors aren't ignored. Tried to revoke database leases which arent existing anymore and getting errors like:
There was an error attempting to revoke the prefix: <path>. failed to revoke "<path>/<leaseID>" (1 / 10): failed to revoke entry: resp: (*logical.Response)(nil) err: pq: role "<roleName>" does not exist.

Force revoke via CLI is working fine though:

$ vault lease revoke -f -prefix <path>
Warning! Force-removing leases can cause Vault to become out of sync with
secret engines!
Success! Force revoked any leases with prefix: <path>

To Reproduce
Steps to reproduce the behavior:

  1. Login to Vault Web Interface
  2. Navigate to Access -> Leases
  3. Choose Path
  4. Force Revoke Prefix -> Revoke

If there is a situation like described above, the error will occur and the leases aren't getting revoked.

Expected behavior
All leases are revoked successfully

Environment:

  • Vault Server Version (retrieve with vault status): 1.4.0
  • Vault CLI Version (retrieve with vault version): Vault v1.4.0
  • Server Operating System/Architecture: Docker on a Debian Host Maschine

Vault server configuration file(s):

ui = true
listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

storage "raft" {
  path = "/vault/file"
  node_id = "raft_node_1"
}
api_addr = "..."
cluster_addr = "http://127.0.0.1:8201"

telemetry {
  prometheus_retention_time = "30s",
  disable_hostname = true
}

default_lease_ttl = "168h"
max_lease_ttl = "720h"
@calvn calvn added the ui label Apr 27, 2020
@calvn
Copy link
Member

calvn commented Apr 27, 2020

Thanks for the report! This might be a bug, but I'll let our frontend team investigate on it and determine if that's the case.

@aphorise
Copy link
Contributor

aphorise commented Aug 12, 2021
edited

@calvn on Vault 1.8.1 this is still an issue using Oracle & likely all other SQL DBs too.

The UI button of Force Revoke Prefix under Access -> Leases doesn't work nor does it behave the same as API / CLI: vault lease revoke --force --prefix ...; the UI results in ERROR whereas the CLI WARN although it does perform force revocations of leases as expected (unlike UI):

# // UI Force Revoke Prefix on: database_oracle/creds
2021-08-12T19:33:04.637Z [TRACE] secrets.database.database_03b44f23.oracle-database-plugin: delete user: transport="" status=started
2021-08-12T19:33:04.663Z [TRACE] secrets.database.database_03b44f23.oracle-database-plugin: delete user: transport="" status=finished
err=
| unable to update user: rpc error: code = Internal desc = unable to delete user: failed to disconnect user V_ROOT_MY_ROLE9_9RMFHYYFQMJQJJ: ORA-00942: table or view does not exist
took=26.459752ms
2021-08-12T19:33:04.663Z [ERROR] secrets.system.system_481f1912: revoke prefix failed: prefix=database_oracle/creds
error=
| failed to revoke "database_oracle/creds/my-role9/Yag6VSziJSg5cSwBz18b9T3p" (1 / 20): failed to revoke entry: resp: (*logical.Response)(nil) err: unable to update user: rpc error: code = Internal desc = unable to delete user: failed to disconnect user V_ROOT_MY_ROLE9_9RMFHYYFQMJQJJ: ORA-00942: table or view does not exist


# // vault lease revoke --force --prefix database_oracle/creds/
2021-08-12T19:33:17.140Z [TRACE] secrets.database.database_03b44f23.oracle-database-plugin: delete user: transport="" status=started
2021-08-12T19:33:17.146Z [TRACE] secrets.database.database_03b44f23.oracle-database-plugin: delete user: transport="" status=finished
err=
| unable to update user: rpc error: code = Internal desc = unable to delete user: failed to disconnect user V_ROOT_MY_ROLE9_9RMFHYYFQMJQJJ: ORA-00942: table or view does not exist
took=5.833898ms
2021-08-12T19:33:17.146Z [WARN]  expiration: revocation from the backend failed, but in force mode so ignoring:
error=
| failed to revoke entry: resp: (*logical.Response)(nil) err: unable to update user: rpc error: code = Internal desc = unable to delete user: failed to disconnect user V_ROOT_MY_ROLE9_9RMFHYYFQMJQJJ: ORA-00942: table or view does not exist
2021-08-12T19:33:17.151Z [INFO]  expiration: revoked lease: lease_id=database_oracle/creds/my-role9/Yag6VSziJSg5cSwBz18b9T3p

@calvn
Copy link
Member

calvn commented Aug 12, 2021

cc'ing @hashishaw on this one.

@hashishaw hashishaw linked a pull request Aug 30, 2022 that will close this issue
UI: Use correct endpoint for force revoke prefix #16930
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

UI: Use correct endpoint for force revoke prefix hashicorp/vault
3 participants
@aphorise @calvn @Lyr3x