Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenBao doesn't recognize valid Vault HVS tokens #297

Open
AdrianAbraham opened this issue Apr 17, 2024 · 2 comments · May be fixed by #298
Open

OpenBao doesn't recognize valid Vault HVS tokens #297

AdrianAbraham opened this issue Apr 17, 2024 · 2 comments · May be fixed by #298
Labels
bug Something isn't working

Comments

@AdrianAbraham
Copy link

AdrianAbraham commented Apr 17, 2024
edited

Describe the bug
OpenBao doesn't recognize valid existing Vault tokens.

More specifically, Vault versions since 1.10 issue "hvs" tokens while OpenBao issues — and only seems to recognize — the pre-1.10 "s" tokens.

Any attempt to use an hvs token produces:

Error making API request.

URL: GET <the url>
Code: 500. Errors:

* error performing token check: failed to look up namespace from the token: no namespace

To Reproduce

  1. Log into Vault and receive an hvs token
  2. Shut down Vault and run OpenBao against the same data folder
  3. Attempt to perform any operation using the Vault token
  4. See error

Expected behavior
Existing Vault tokens should continue to work in OpenBao. Failing that, the error should clearly communicate that Vault tokens aren't valid and that existing tokens need to be regenerated.

Environment:

  • OpenBao Server Version (retrieve with bao status): 2.0.0-alpha20240329
  • OpenBao CLI Version (retrieve with bao version): 2.0.0-alpha20240329
  • Server Operating System/Architecture: Fedora 39 / x86_64
@AdrianAbraham AdrianAbraham added the bug Something isn't working label Apr 17, 2024
@cipherboy
Copy link
Contributor

cipherboy commented Apr 17, 2024
edited

We might want to have a discussion as a community about this one later, perhaps at this week's call @naphelps.

One of the reasons why I wanted to remove this is that the SSCT format contains extra information that isn't necessary: it contains cross-cluster WAL indices, so that requests to multiple Performance Secondary clusters can be rejected or retried until the cluster is up-to-date with some state.

While nice, we do not, and likely will not, have multiple clusters and thus will not require this.

Thus the conversation could revolve around, do we want to keep this around forever (for migration purposes) or drop it after GA for the next major release and if so, what mitigations are OK? Can we err with a more helpful message that SSCTs aren't accepted and fail? Or should we attempt to support read-only SSCTs and strictly generate new (old, non-SSCT format) tokens?

Given now is alpha->GA, perhaps breaking SSCTs now is a better time to make this change and handle the breakage as @AdrianAbraham commented on #openbao-general:

Any chance we can get a "Sorry, OpenBao doesn't support Vault tokens" error instead of the "no namespace" error?

Edit: some notes on cleaner removal semantics:

  • Cleaner error message when an old format token is used.
  • We'll want to validate tidy removal works.
  • Leases are (sometimes) bound to token expiry; are we expecting to re-issue everything?

Other considerations?

cipherboy added a commit to cipherboy/openbao that referenced this issue Apr 17, 2024
@cipherboy
Revert "Remove Server Side Consistent Tokens (SSCTs)"
9978d8e 
This reverts commit 1f2635c.
As discussed on #openbao-general, this breaks existing migrations:
anyone with SSCT tokens present in token store would lose all
existing tokens and need to re-auth everything. This is moderately
more disruptive for root tokens in particular, as
`operator generate-root` would need to be taken (and sometimes
these root tokens are stored but not used, as they don't necessarily
expire).

This reasonably breaks the "drop-in migration" guarantees of a Raft
storage backend, and thus will be reverted for the time being.

Other than the protobuf regeneration (which makes sense as it is an
auto-generated file anyways), this was a clean revert.

Resolves: openbao#297

Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
@cipherboy cipherboy linked a pull request Apr 17, 2024 that will close this issue
Open
@naphelps
Copy link
Member

Adding to the agenda.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Revert "Remove Server Side Consistent Tokens (SSCTs)" cipherboy/openbao
3 participants
@cipherboy @AdrianAbraham @naphelps