Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

logical/aws: Harden WAL entry creation #5202

Merged
merged 7 commits into from
Sep 27, 2018
Merged

logical/aws: Harden WAL entry creation #5202

merged 7 commits into from
Sep 27, 2018

Conversation

joelthompson
Copy link
Contributor

If AWS IAM user creation failed in any way, the WAL corresponding to the
IAM user would get left around and Vault would try to roll it back.
However, because the user never existed, the rollback failed. Thus, the
WAL would essentially get "stuck" and Vault would continually attempt to
roll it back, failing every time. A similar situation could arise if the
IAM user that Vault created got deleted out of band, or if Vault deleted
it but was unable to write the lease revocation back to storage (e.g., a
storage failure).

This attempts to harden it in two ways. One is by deleting the WAL log
entry if the IAM user creation fails. However, the WAL deletion could
still fail, and this wouldn't help where the user is deleted out of
band, so second, consider the user rolled back if the user just doesn't
exist, under certain circumstances.

Fixes #5190

@joelthompson
logical/aws: Harden WAL entry creation
7c8c3f5 
If AWS IAM user creation failed in any way, the WAL corresponding to the
IAM user would get left around and Vault would try to roll it back.
However, because the user never existed, the rollback failed. Thus, the
WAL would essentially get "stuck" and Vault would continually attempt to
roll it back, failing every time. A similar situation could arise if the
IAM user that Vault created got deleted out of band, or if Vault deleted
it but was unable to write the lease revocation back to storage (e.g., a
storage failure).

This attempts to harden it in two ways. One is by deleting the WAL log
entry if the IAM user creation fails. However, the WAL deletion could
still fail, and this wouldn't help where the user is deleted out of
band, so second, consider the user rolled back if the user just doesn't
exist, under certain circumstances.

Fixes hashicorp#5190
@joelthompson joelthompson mentioned this pull request Aug 28, 2018
Closed
@chrishoffman chrishoffman added this to the 0.11.1 milestone Aug 28, 2018
jefferai
jefferai previously approved these changes Aug 28, 2018
View reviewed changes
@joelthompson
Merge remote-tracking branch 'origin/master' into invalid_aws_wal
959c478
@joelthompson
Fix segfault in expiration unit tests
511a89d 
TestExpiration_Tidy was passing in a leaseEntry that had a nil Secret,
which then caused a segfault as the changes to revokeEntry didn't check
whether Secret was nil; this is probably unlikely to occur in real life,
but good to be extra cautious.
@joelthompson
Fix potential segfault
03a8d3f 
Missed the else...
@jefferai jefferai modified the milestones: 0.11.1, 0.11.2 Sep 5, 2018
vishalnayak
vishalnayak reviewed Sep 13, 2018
View reviewed changes
builtin/logical/aws/path_user.go Outdated Show resolved Hide resolved
builtin/logical/aws/path_user.go Outdated Show resolved Hide resolved
builtin/logical/aws/path_user.go Outdated Show resolved Hide resolved
vishalnayak
vishalnayak previously approved these changes Sep 14, 2018
View reviewed changes
@chrishoffman
Copy link
Contributor

Can you back out the expiration manager changes? A bunch of work has been done in here and I am not sure this is necessary. If it is, can you create a separate PR?

@joelthompson
Copy link
Contributor Author

@chrishoffman -- I think the expiration manager changes are still necessary, but I don't know how to test for it in a good way. For the same reason that renewEntry a few lines later adds le.Secret.IssueTime I believe that revokeEntry needs to as well, unless it gets set somewhere else.

Why do you want a separate PR?

@chrishoffman
Copy link
Contributor

Mainly because it is not related to the proposed change, although I could be missing something on why this change is necessary. We normally only pass the information that is absolutely necessary to the backend and I am not sure IssueDate is required for revoke operations.

joelthompson
joelthompson commented Sep 21, 2018
View reviewed changes
builtin/logical/aws/path_user.go
// least 5 minutes old as well.
if aerr, ok := err.(awserr.Error); ok {
acceptMissingIamUsers := false
if req.Secret == nil || time.Since(req.Secret.IssueTime) > time.Duration(minAwsUserRollbackAge) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chrishoffman -- this line is where I need the expiration manager changes, and the comments above try to explain why.

chrishoffman
chrishoffman approved these changes Sep 27, 2018
View reviewed changes
Copy link
Contributor

@chrishoffman chrishoffman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, this makes sense. Thanks!

@chrishoffman chrishoffman merged commit 0510b7e into hashicorp:master Sep 27, 2018
@joelthompson joelthompson deleted the invalid_aws_wal branch September 27, 2018 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrishoffman chrishoffman chrishoffman approved these changes

@jefferai jefferai jefferai left review comments

@vishalnayak vishalnayak vishalnayak left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.11.2
Development

Successfully merging this pull request may close these issues.
4 participants
@joelthompson @chrishoffman @jefferai @vishalnayak