Add warning when generate_lease=no_store=true when writing PKI role #14292
Conversation
When no_store=true, the value of generate_lease is ignored completely (and set to false). This means that when generate_lease=true is specified by the caller of the API, it is silently swallowed. While changing the behavior could break callers, setting a warning on the response (changing from a 204->200 in the process) seems to make the most sense. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
|
Thanks for the review @stevendpclark! |
| @@ -644,6 +645,10 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data | |||
| // no_store implies generate_lease := false | |||
| if entry.NoStore { | |||
| *entry.GenerateLease = false | |||
| if data.Get("generate_lease").(bool) { | |||
There was a problem hiding this comment.
Would it make sense to return an error when both options are set to true?
There was a problem hiding this comment.
The docs have mentioned since the introduction of the no_store option that no_store=true sets generate_lease=false (regardless of its value), so I don't think we can necessarily make a breaking change at this point in time (which erring out would be). However, emitting a warning is the next best thing we can do for the time being. :-)
A future Vault v2 version potentially could make that change, or perhaps an equivalent amount of time with the warning. I dunno. But at least as it stands, we'd risk breaking people's existing e.g., Terraform definitions if we made that change now.
There was a problem hiding this comment.
The nice thing is a quick search shows that no public Terraform users seem to have made this mistake, but some use variables that could potentially be overridden to have the undesired behavior. Plus, I'd venture that most Terraform users keep their stuff private.
cipherboy
deleted the
cipherboy-add-warning-no-store-generate-lease-both-true
branch
When
no_store=true, the value ofgenerate_leaseis ignored completely(and set to false). This means that when
generate_lease=trueisspecified by the caller of the API, it is silently swallowed. While
changing the behavior could break callers, setting a warning on the
response (changing from a 204->200 in the process) seems to make the
most sense.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>This probably isn't that important (and can wait for 1.10 branching). I found it when looking at the docs around #14286 and thought it was interesting.
Can be tested with something like: