Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix plugin reload mounts #15579

Merged
merged 9 commits into from May 25, 2022
Merged

Fix plugin reload mounts #15579

merged 9 commits into from May 25, 2022

Conversation

fairclothjm
Copy link
Contributor

Fix a bug where the command vault plugin reload -mounts <plugin-mount-path> silently fails for auth plugins. This bug results in the plugin process is not actually getting killed/cleaned up but reports that the reload was successful.

This change allows the -mounts flag to except any of

  • sys/auth/foo/
  • sys/auth/foo
  • auth/foo/
  • auth/foo

for an auth plugin mounted with vault auth enable -path=foo my-foo-auth-plugin; or

  • bar/
  • bar

for a secrets plugin mounted with vault secrets enable -path=bar my-bar-secrets-plugin

Additionally, we add some docs examples for the unintuitive vault plugin reload ... commands.

austingebauer
austingebauer approved these changes May 24, 2022
View reviewed changes
Copy link
Member

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 👍

robmonte
robmonte reviewed May 24, 2022
View reviewed changes
vault/plugin_reload.go
Comment on lines 53 to 54
if ns.ID != entry.Namespace().ID {
continue
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like it would also be returning a fake success here when in fact the reload fails. Would changing this too also be an improvement?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good thinking! I wasn't sure so I tested it and we get the following error when using namespaces

Error reloading plugin/mounts: Error making API request.

Namespace: ns2/
URL: PUT http://127.0.0.1:8200/v1/sys/plugins/reload/backend
Code: 500. Errors:

* 3 errors occurred:
	* cannot fetch mount entry on "auth/userpass-single-sdk-1_9-1/"
	* cannot fetch mount entry on "auth/userpass-single-sdk-1_9-2/"
	* cannot fetch mount entry on "auth/userpass-single-sdk-1_9-3/"

The call to c.router.MatchingMountEntry above will ensure the namespace is applied before searching for the mount. So I think this check may be redundant?

@fairclothjm fairclothjm merged commit 6d2a218 into main May 25, 2022
@fairclothjm fairclothjm deleted the fix-plugin-reload-mounts branch May 25, 2022 18:37
Gabrielopesantos pushed a commit to Gabrielopesantos/vault that referenced this pull request Jun 6, 2022
@fairclothjm @Gabrielopesantos
Fix plugin reload mounts (hashicorp#15579)
746f384 
* fix plugin reload mounts

* do not require sys/ prefix

* update plugin reload docs with examples

* fix unit test credential read path

* update docs to reflect correct cli usage

* allow sys/auth/foo or auth/foo

* append trailing slash if it doesn't exist in request

* add changelog

* use correct changelog number
@calvn calvn added this to the 1.11.0 milestone Jun 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robmonte robmonte robmonte left review comments

@austingebauer austingebauer austingebauer approved these changes

@taoism4504 taoism4504 Awaiting requested review from taoism4504

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.11.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@fairclothjm @robmonte @austingebauer @calvn