Fix tidy-status, tidy-cancel on PR Secondaries (#17497)

* Fix tidy-status, tidy-cancel on PR Secondaries PKI's tidy-status included a bug that prevented PR secondary nodes from responding with the status of the running tidy operation: while the operation constructor correctly forwarded the node on PR standby instances, the handler itself forwarded also on PR secondary nodes. This is incorrect as the PR secondary nodes are the active node in the local PR cluster, and run tidy operations otherwise. This meant that while auto-tidy and tidy operations would run, there was no insight into the process. When implementing tidy-cancel, tidy-status's handler logic was reused, duplicating the bug there as well. Signed-off-by: Alexander Scheel <[email protected]> * Add changelog entry Signed-off-by: Alexander Scheel <[email protected]> Signed-off-by: Alexander Scheel <[email protected]>
hashicorp · Oct 12, 2022 · 6cb8189 · 6cb8189
1 parent 8bf0866
commit 6cb8189
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 11 deletions.
diff --git a/builtin/logical/pki/path_tidy.go b/builtin/logical/pki/path_tidy.go
@@ -13,7 +13,6 @@ import (
 	"github.com/hashicorp/go-hclog"
 
 	"github.com/hashicorp/vault/sdk/framework"
-	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
@@ -442,10 +441,6 @@ func (b *backend) doTidyRevocationStore(ctx context.Context, req *logical.Reques
 }
 
 func (b *backend) pathTidyCancelWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	if b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary) && !b.System().LocalMount() {
-		return nil, logical.ErrReadOnly
-	}
-
 	if atomic.LoadUint32(b.tidyCASGuard) == 0 {
 		resp := &logical.Response{}
 		resp.AddWarning("Tidy operation cannot be cancelled as none is currently running.")
@@ -469,12 +464,6 @@ func (b *backend) pathTidyCancelWrite(ctx context.Context, req *logical.Request,
 }
 
 func (b *backend) pathTidyStatusRead(_ context.Context, _ *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
-	// If this node is a performance secondary return an ErrReadOnly so that the request gets forwarded,
-	// but only if the PKI backend is not a local mount.
-	if b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary) && !b.System().LocalMount() {
-		return nil, logical.ErrReadOnly
-	}
-
 	b.tidyStatusLock.RLock()
 	defer b.tidyStatusLock.RUnlock()
 

diff --git a/changelog/17497.txt b/changelog/17497.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters.
+```