Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Server Side Consistent Tokens (SSCTs) #203

Merged
merged 1 commit into from
Mar 14, 2024
Merged

Remove Server Side Consistent Tokens (SSCTs) #203

merged 1 commit into from
Mar 14, 2024

Conversation

cipherboy
Copy link
Member

@cipherboy cipherboy commented Mar 12, 2024
edited
Loading

SSCTs were a Vault Enterprise feature, implemented everywhere, to
introduce tokens which encoded information about Performance Secondary
replication state into requests. This let callers pass this token to any
other server and guarantee their state is at least as fresh as this
token (by virtue of it containing a WAL index number). However, this
didn't apply to HA clusters and only to Performance Secondary cluster
types, meaning it is of limited utility to us.

We revert to the old token prefixes (s., b., and r.), rather than
continuing to use the SSC Token prefixes (hvs., hvb., and hvr.).
This ensures any utilities attempting to decode Vault's SSCTs knows
these do not have the required internal structure.

Based on #197; will be rebased once that merges.

@cipherboy cipherboy force-pushed the remove-ssct-generation branch 2 times, most recently from 772aa57 to 3699cd7 Compare March 12, 2024 02:30
@cipherboy cipherboy mentioned this pull request Mar 12, 2024
Merged
@cipherboy cipherboy marked this pull request as ready for review March 14, 2024 00:31
@cipherboy @naphelps
Remove Server Side Consistent Tokens (SSCTs)
1f2635c 
SSCTs were a Vault Enterprise feature, implemented everywhere, to
introduce tokens which encoded information about Performance Secondary
replication state into requests. This let callers pass this token to any
other server and guarantee their state is at least as fresh as this
token (by virtue of it containing a WAL index number). However, this
didn't apply to HA clusters and only to Performance Secondary cluster
types, meaning it is of limited utility to us.

We revert to the old token prefixes (`s.`, `b.`, and `r.`), rather than
continuing to use the SSC Token prefixes (`hvs.`, `hvb.`, and `hvr.`).
This ensures any utilities attempting to decode Vault's SSCTs knows
these do not have the required internal structure.

Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
@naphelps naphelps self-requested a review March 14, 2024 13:48
@naphelps naphelps merged commit 2eb7d21 into openbao:main Mar 14, 2024
69 of 79 checks passed
@cipherboy cipherboy mentioned this pull request Apr 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@naphelps naphelps naphelps approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cipherboy @naphelps