Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More Mount Conflict Detection #2919

Merged
merged 17 commits into from
Nov 6, 2017
Merged

More Mount Conflict Detection #2919

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
ff650e5
More Mount Conflict Detection
Jun 24, 2017
af30967
Check for mount conflicts in more places and test helper explicitly
Jun 25, 2017
d848929
Incorporate feedback and add a blurb to the docs
Jun 25, 2017
cf07549
Incorporate feedback in proper file tho
Jun 25, 2017
e8f330e
Merge branch 'master' of github.com:hashicorp/vault into mount-conflict
Jul 11, 2017
f3136f0
Use a read lock when appropriate
Jul 11, 2017
b0fbfe8
Merge branch 'master' of github.com:hashicorp/vault into mount-conflict
Jul 27, 2017
bf02212
shuffle around internal router/mount functions
Jul 27, 2017
0f36271
Merge branch 'master' of github.com:hashicorp/vault into mount-conflict
Aug 4, 2017
6836698
defer is kinda cool 🕶
Aug 4, 2017
314a032
Merge branch 'master' of github.com:hashicorp/vault into mount-conflict
Sep 17, 2017
23aa611
Merge branch 'master' of github.com:hashicorp/vault into mount-conflict
Sep 17, 2017
c03b662
Only block path stomping on new mounts
otakup0pe Sep 17, 2017
e2c0f63
Update router.go
jefferai Nov 6, 2017
5b60f6b
Update router_test.go
jefferai Nov 6, 2017
51c948f
Merge branch 'master' into mount-conflict
jefferai Nov 6, 2017
d70bcd5
Merge branch 'master' into mount-conflict
jefferai Nov 6, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions vault/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,8 @@ func (c *Core) enableCredential(entry *MountEntry) error {
return fmt.Errorf("token credential backend cannot be instantiated")
}

if match := c.router.MatchingMount(credentialRoutePrefix + entry.Path); match != "" {
return logical.CodedError(409, fmt.Sprintf("existing mount at %s", match))
if conflict := c.router.MountConflict(credentialRoutePrefix + entry.Path); conflict != "" {
return logical.CodedError(409, fmt.Sprintf("existing mount at %s", conflict))
}

// Generate a new UUID and view
Expand Down
4 changes: 2 additions & 2 deletions vault/mount.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,8 +213,8 @@ func (c *Core) mount(entry *MountEntry) error {
c.mountsLock.Lock()
defer c.mountsLock.Unlock()

// Verify there is no conflicting mount
if match := c.router.MatchingMount(entry.Path); match != "" {
// Verify there are no conflicting mounts
if match := c.router.MountConflict(entry.Path); match != "" {
return logical.CodedError(409, fmt.Sprintf("existing mount at %s", match))
}

Expand Down
40 changes: 40 additions & 0 deletions vault/router.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,13 @@ func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *Mount
if existing, _, ok := r.root.LongestPrefix(prefix); ok && existing != "" {
return fmt.Errorf("cannot mount under existing mount '%s'", existing)
}
// If this is a secret backend, check to see if the prefix conflicts
// with an existing mountpoint
if prefix != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty sure that we don't allow empty prefixes in the API calls or core mount function. Have you seen this? This if seems unnecessary.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this check appears unnecessary.

if match := r.matchingPrefixInternal(prefix); match != "" {
Copy link
Contributor

@chrishoffman chrishoffman Jul 27, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little concerned about adding this check in the router. I've confirmed that adding this check will prevent servers that are in the situation of overlapping mounts from unsealing, where they would start fine before. This may be ok since vault will never unseal and you can just downgrade to the earlier version, move the mounts, and then proceed with the upgrade. It's at the very least something to add to the upgrade docs. @jefferai thoughts?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me know how to proceed. I can add some context on the upgrade docs, or is handling the data migration something we want to consider?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think my preference here would be to allow it in the router but not the mount code. So existing setups will work, but it won't be allowed for new mounts.

return fmt.Errorf("cannot mount over existing mount '%s'", match)
}
}

// Build the paths
paths := backend.SpecialPaths()
Expand Down Expand Up @@ -205,6 +212,39 @@ func (r *Router) MatchingMount(path string) string {
return mount
}

// matchingPrefixInternal returns a mount prefix that a path may be a part of
func (r *Router) matchingPrefixInternal(path string) string {
var existing string = ""
fn := func(existing_path string, _v interface{}) bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this function executes at all wouldn't it mean that we've found a prefix? Is the if check unnecessary here?

if strings.HasPrefix(existing_path, path) {
existing = existing_path
return true
}
return false
}
r.root.WalkPrefix(path, fn)
return existing
}

// MatchingPrefix is like matchingPrefixInternal but locks the router
func (r *Router) MatchingPrefix(path string) string {
r.l.RLock()
match := r.matchingPrefixInternal(path)
r.l.RUnlock()
return match
}

// MountConflict determines if there are potential path conflicts
func (r *Router) MountConflict(path string) string {
if exact_match := r.MatchingMount(path); exact_match != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really this function should grab a single read lock for the entire function and then call matchingMountInternal and matchingPrefixInternal. That way nothing can change between the two functions.

return exact_match
}
if prefix_match := r.MatchingPrefix(path); prefix_match != "" {
return prefix_match
}
return ""
}

// MatchingView returns the view used for a path
func (r *Router) MatchingStorageView(path string) *BarrierView {
r.l.RLock()
Expand Down
22 changes: 22 additions & 0 deletions vault/router_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,28 @@ func TestRouter_Mount(t *testing.T) {
t.Fatalf("err: %v", err)
}

meUUID, err = uuid.GenerateUUID()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move this to be placed just above the definition of subMountEntry?

if err != nil {
t.Fatal(err)
}

subMountEntry := &MountEntry{
Path: "prod/",
UUID: meUUID,
}

if r.MountConflict("prod/aws/") == "" {
t.Fatalf("bad: prod/aws/")
}
if r.MountConflict("prod/") == "" {
t.Fatalf("bad: prod/")
}

err = r.Mount(n, "prod/", subMountEntry, view)
if !strings.Contains(err.Error(), "cannot mount over existing mount") {
t.Fatalf("err: %v", err)
}

if path := r.MatchingMount("prod/aws/foo"); path != "prod/aws/" {
t.Fatalf("bad: %s", path)
}
Expand Down
7 changes: 7 additions & 0 deletions website/source/docs/secrets/index.html.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,13 @@ Once a secret backend is mounted, you can interact with it directly
at its mount point according to its own API. You can use the `vault path-help`
system to determine the paths it responds to.

Note that mount points cannot conflict with each other in Vault. There are
two broad implications of this fact. The first is that you cannot have
a mount which is prefixed with an existing mount. The second is that you
cannot create a mount point that is named as a prefix of an existing mount.
As an example, the mounts `foo/bar` and `foo/baz` can peacefully coexist
with each other whereas `foo` and `foo/baz` cannot

## Barrier View

An important concept around secret backends is that they receive a
Expand Down