vault: ensure that token revocation is idempotent

This ensures that token revocation is idempotent and can handle when tokens are revoked out of band. Idempotency is important to handle some transient failures and retries. Consider when a single token of a batch fails to be revoked, nomad would retry revoking the entire batch; tokens already revoked should be gracefully handled, otherwise, nomad may retry revoking the same tokens forever.
hashicorp · May 14, 2020 · ff3cf8f · ff3cf8f
1 parent 1f78c55
commit ff3cf8f
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/nomad/vault.go b/nomad/vault.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"math/rand"
 	"strconv"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -1135,7 +1136,9 @@ func (v *vaultClient) storeForRevocation(accessors []*structs.VaultAccessor) {
 
 	now := time.Now()
 	for _, a := range accessors {
-		v.revoking[a] = now.Add(time.Duration(a.CreationTTL) * time.Second)
+		if _, ok := v.revoking[a]; !ok {
+			v.revoking[a] = now.Add(time.Duration(a.CreationTTL) * time.Second)
+		}
 	}
 	v.revLock.Unlock()
 }
@@ -1176,7 +1179,8 @@ func (v *vaultClient) parallelRevoke(ctx context.Context, accessors []*structs.V
 						return nil
 					}
 
-					if err := v.auth.RevokeAccessor(va.Accessor); err != nil {
+					err := v.auth.RevokeAccessor(va.Accessor)
+					if err != nil && !strings.Contains(err.Error(), "invalid accessor") {
 						return fmt.Errorf("failed to revoke token (alloc: %q, node: %q, task: %q): %v", va.AllocID, va.NodeID, va.Task, err)
 					}
 				case <-pCtx.Done():