Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove pre-1.0 migration paths #315

Open
cipherboy opened this issue May 2, 2024 · 0 comments
Open

Remove pre-1.0 migration paths #315

cipherboy opened this issue May 2, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@cipherboy
Copy link
Contributor

cipherboy commented May 2, 2024
edited

OpenBao contains a number of migration paths from pre-1.0. It is rather difficult to find all references, but some:

  • openbao/vault/expiration.go

    Lines 2152 to 2159 in 74c2ddd

    // Downgrade logic for old-style (V0) namespace leases that had its
    // secondary index live in the root namespace. This reverts to the old
    // behavior of looking for the secondary index on these leases in the
    // root namespace to be cleaned up properly. We set it here because the
    // old behavior used the namespace's token store salt for its saltCtx.
    if le.Version < 1 {
    tokenNS = namespace.RootNamespace
    }

  • openbao/command/ssh.go

    Lines 291 to 315 in 74c2ddd

    // Credentials are generated only against a registered role. If user
    // does not specify a role with the SSH command, then lookup API is used
    // to fetch all the roles with which this IP is associated. If there is
    // only one role associated with it, use it to establish the connection.
    //
    // TODO: remove in 0.9.0, convert to validation error
    if c.flagRole == "" {
    c.UI.Warn(wrapAtLength(
    "WARNING: No -role specified. Use -role to tell OpenBao which ssh role " +
    "to use for authentication. In the future, you will need to tell " +
    "OpenBao which role to use. For now, OpenBao will attempt to guess based " +
    "on the API response. This will be removed in the Vault 1.1."))
    role, err := c.defaultRole(c.flagMountPoint, ip)
    if err != nil {
    c.UI.Error(fmt.Sprintf("Error choosing role: %v", err))
    return 1
    }
    // Print the default role chosen so that user knows the role name
    // if something doesn't work. If the role chosen is not allowed to
    // be used by the user (ACL enforcement), then user should see an
    // error message accordingly.
    c.UI.Output(fmt.Sprintf("OpenBao SSH: Role: %q", role))
    c.flagRole = role
    }

  • openbao/sdk/helper/pluginutil/env.go

    Lines 65 to 70 in 74c2ddd

    // Due to some regressions on 0.9.2 & 0.9.3 we now require version 0.9.4
    // to allow the plugin framework to default to gRPC.
    constraint, err := version.NewConstraint(">= 0.9.4")
    if err != nil {
    return true
    }

&c.

More formally, we should consider policy on what the minimum migration version is; we could say a user must come from Vault 1.14.0 series prior to moving to OpenBao (if it is not a fresh install).

/cc @naphelps This would be a good agenda item for next week.
@cipherboy cipherboy added the bug Something isn't working label May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cipherboy