From 4511832bdfa6ee3ea608afac041b21851d0c7d13 Mon Sep 17 00:00:00 2001 From: Brian Kassouf Date: Tue, 11 Dec 2018 17:21:23 -0800 Subject: [PATCH] Fix plugin reload when in a namespace (#5937) --- vault/logical_system.go | 19 +++++++++++++------ vault/plugin_reload.go | 6 +++--- vault/testing.go | 7 +++++++ 3 files changed, 23 insertions(+), 9 deletions(-) diff --git a/vault/logical_system.go b/vault/logical_system.go index 20942bb843a2..7113df45f87f 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -1411,7 +1411,11 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, // Reload the backend to kick off the upgrade process. It should only apply to KV backend so we // trigger based on the version logic above. if kvUpgraded { - b.Core.reloadBackendCommon(ctx, mountEntry, strings.HasPrefix(path, credentialRoutePrefix)) + err = b.Core.reloadBackendCommon(ctx, mountEntry, strings.HasPrefix(path, credentialRoutePrefix)) + if err != nil { + b.Core.logger.Error("mount tuning of options: could not reload backend", "error", err, "path", path, "options", options) + } + } } @@ -2894,6 +2898,11 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica errResp := logical.ErrorResponse(fmt.Sprintf("preflight capability check returned 403, please ensure client's policies grant access to path %q", path)) + ns, err := namespace.FromContext(ctx) + if err != nil { + return nil, err + } + me := b.Core.router.MatchingMountEntry(ctx, path) if me == nil { // Return a permission denied error here so this path cannot be used to @@ -2905,6 +2914,9 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica Data: mountInfo(me), } resp.Data["path"] = me.Path + if ns.ID != me.Namespace().ID { + resp.Data["path"] = me.Namespace().Path + me.Path + } // Load the ACL policies so we can walk the prefix for this mount acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req) @@ -2924,11 +2936,6 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica return nil, logical.ErrPermissionDenied } - ns, err := namespace.FromContext(ctx) - if err != nil { - return nil, err - } - if !hasMountAccess(ctx, acl, ns.Path+me.Path) { return errResp, logical.ErrPermissionDenied } diff --git a/vault/plugin_reload.go b/vault/plugin_reload.go index fdd095cdeda4..3e939e4cf0c3 100644 --- a/vault/plugin_reload.go +++ b/vault/plugin_reload.go @@ -50,7 +50,7 @@ func (c *Core) reloadMatchingPluginMounts(ctx context.Context, mounts []string) errors = multierror.Append(errors, errwrap.Wrapf(fmt.Sprintf("cannot reload plugin on %q: {{err}}", mount), err)) continue } - c.logger.Info("successfully reloaded plugin", "plugin", entry.Type, "path", entry.Path) + c.logger.Info("successfully reloaded plugin", "plugin", entry.Accessor, "path", entry.Path) } return errors } @@ -96,7 +96,7 @@ func (c *Core) reloadMatchingPlugin(ctx context.Context, pluginName string) erro if err != nil { return err } - c.logger.Info("successfully reloaded plugin", "plugin", pluginName, "path", entry.Path) + c.logger.Info("successfully reloaded plugin", "plugin", entry.Accessor, "path", entry.Path) } } @@ -120,7 +120,7 @@ func (c *Core) reloadBackendCommon(ctx context.Context, entry *MountEntry, isAut } // Fast-path out if the backend doesn't exist - raw, ok := c.router.root.Get(path) + raw, ok := c.router.root.Get(entry.Namespace().Path + path) if !ok { return nil } diff --git a/vault/testing.go b/vault/testing.go index 91aa38020210..fd19d47a1eda 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -150,6 +150,13 @@ func TestCoreWithSealAndUI(t testing.T, opts *CoreConfig) *Core { conf.LicensingConfig = opts.LicensingConfig conf.DisableKeyEncodingChecks = opts.DisableKeyEncodingChecks + for k, v := range opts.LogicalBackends { + conf.LogicalBackends[k] = v + } + for k, v := range opts.CredentialBackends { + conf.CredentialBackends[k] = v + } + c, err := NewCore(conf) if err != nil { t.Fatalf("err: %s", err)