New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenBao doesn't recognize valid Vault HVS tokens #297
Comments
We might want to have a discussion as a community about this one later, perhaps at this week's call @naphelps. One of the reasons why I wanted to remove this is that the SSCT format contains extra information that isn't necessary: it contains cross-cluster WAL indices, so that requests to multiple Performance Secondary clusters can be rejected or retried until the cluster is up-to-date with some state. While nice, we do not, and likely will not, have multiple clusters and thus will not require this. Thus the conversation could revolve around, do we want to keep this around forever (for migration purposes) or drop it after GA for the next major release and if so, what mitigations are OK? Can we err with a more helpful message that SSCTs aren't accepted and fail? Or should we attempt to support read-only SSCTs and strictly generate new (old, non-SSCT format) tokens? Given now is alpha->GA, perhaps breaking SSCTs now is a better time to make this change and handle the breakage as @AdrianAbraham commented on
Edit: some notes on cleaner removal semantics:
Other considerations? |
This reverts commit 1f2635c. As discussed on #openbao-general, this breaks existing migrations: anyone with SSCT tokens present in token store would lose all existing tokens and need to re-auth everything. This is moderately more disruptive for root tokens in particular, as `operator generate-root` would need to be taken (and sometimes these root tokens are stored but not used, as they don't necessarily expire). This reasonably breaks the "drop-in migration" guarantees of a Raft storage backend, and thus will be reverted for the time being. Other than the protobuf regeneration (which makes sense as it is an auto-generated file anyways), this was a clean revert. Resolves: openbao#297 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Adding to the agenda. |
Describe the bug
OpenBao doesn't recognize valid existing Vault tokens.
More specifically, Vault versions since 1.10 issue "hvs" tokens while OpenBao issues — and only seems to recognize — the pre-1.10 "s" tokens.
Any attempt to use an hvs token produces:
To Reproduce
Expected behavior
Existing Vault tokens should continue to work in OpenBao. Failing that, the error should clearly communicate that Vault tokens aren't valid and that existing tokens need to be regenerated.
Environment:
bao status
): 2.0.0-alpha20240329bao version
): 2.0.0-alpha20240329The text was updated successfully, but these errors were encountered: