From 2c6f09a5c9da216ab74e37e74121d4cdeef420b0 Mon Sep 17 00:00:00 2001 From: Mike Palmiotto Date: Fri, 30 Sep 2022 09:23:01 -0400 Subject: [PATCH] core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool (#17319) (#17365) * docs: Update VAULT_ALLOW_PENDING_REMOVAL_MOUNTS doc --- command/server.go | 11 +++++++++++ vault/mount.go | 4 +++- website/content/docs/commands/server.mdx | 2 +- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/command/server.go b/command/server.go index a75ea0b5b076..627df00baf6d 100644 --- a/command/server.go +++ b/command/server.go @@ -40,6 +40,7 @@ import ( vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/internalshared/configutil" "github.com/hashicorp/vault/internalshared/listenerutil" + "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/logging" "github.com/hashicorp/vault/sdk/helper/strutil" @@ -1266,6 +1267,16 @@ func (c *ServerCommand) Run(args []string) int { } } + if allowPendingRemoval := os.Getenv(consts.VaultAllowPendingRemovalMountsEnv); allowPendingRemoval != "" { + var err error + vault.PendingRemovalMountsAllowed, err = strconv.ParseBool(allowPendingRemoval) + if err != nil { + c.UI.Warn(wrapAtLength("WARNING! failed to parse " + + consts.VaultAllowPendingRemovalMountsEnv + " env var: " + + "defaulting to false.")) + } + } + // If mlockall(2) isn't supported, show a warning. We disable this in dev // because it is quite scary to see when first using Vault. We also disable // this if the user has explicitly disabled mlock in configuration. diff --git a/vault/mount.go b/vault/mount.go index 161b481de3a4..bb6421873698 100644 --- a/vault/mount.go +++ b/vault/mount.go @@ -104,6 +104,8 @@ var ( // mountAliases maps old backend names to new backend names, allowing us // to move/rename backends but maintain backwards compatibility mountAliases = map[string]string{"generic": "kv"} + + PendingRemovalMountsAllowed = false ) func (c *Core) generateMountAccessor(entryType string) (string, error) { @@ -960,7 +962,7 @@ func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry case consts.PendingRemoval: dl.Error(errDeprecatedMount.Error()) - if allow := os.Getenv(consts.VaultAllowPendingRemovalMountsEnv); allow == "" { + if !PendingRemovalMountsAllowed { return nil, fmt.Errorf("could not mount %q: %w", t, errDeprecatedMount) } resp.AddWarning(errDeprecatedMount.Error()) diff --git a/website/content/docs/commands/server.mdx b/website/content/docs/commands/server.mdx index 33aaad6aa0ff..644778bc8667 100644 --- a/website/content/docs/commands/server.mdx +++ b/website/content/docs/commands/server.mdx @@ -60,7 +60,7 @@ flags](/docs/commands) included on all commands. are "standard" and "json". This can also be specified via the VAULT_LOG_FORMAT environment variable. -- `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` `(string: "")` - (environment variable) +- `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` `(bool: false)` - (environment variable) Allow Vault to be started with builtin engines which have the `Pending Removal` deprecation state. This is a temporary stopgap in place in order to perform an upgrade and disable these engines. Once these engines are marked `Removed` (in