backport of commit 6cb8189 (#17505)

Co-authored-by: Alexander Scheel <[email protected]>
hashicorp · Oct 12, 2022 · a141f4b · a141f4b
1 parent 518baaf
commit a141f4b
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 11 deletions.
diff --git a/builtin/logical/pki/path_tidy.go b/builtin/logical/pki/path_tidy.go
@@ -13,7 +13,6 @@ import (
 	"github.com/hashicorp/go-hclog"
 
 	"github.com/hashicorp/vault/sdk/framework"
-	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
@@ -442,10 +441,6 @@ func (b *backend) doTidyRevocationStore(ctx context.Context, req *logical.Reques
 }
 
 func (b *backend) pathTidyCancelWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	if b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary) && !b.System().LocalMount() {
-		return nil, logical.ErrReadOnly
-	}
-
 	if atomic.LoadUint32(b.tidyCASGuard) == 0 {
 		resp := &logical.Response{}
 		resp.AddWarning("Tidy operation cannot be cancelled as none is currently running.")
@@ -469,12 +464,6 @@ func (b *backend) pathTidyCancelWrite(ctx context.Context, req *logical.Request,
 }
 
 func (b *backend) pathTidyStatusRead(_ context.Context, _ *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
-	// If this node is a performance secondary return an ErrReadOnly so that the request gets forwarded,
-	// but only if the PKI backend is not a local mount.
-	if b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary) && !b.System().LocalMount() {
-		return nil, logical.ErrReadOnly
-	}
-
 	b.tidyStatusLock.RLock()
 	defer b.tidyStatusLock.RUnlock()
 

diff --git a/changelog/17497.txt b/changelog/17497.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters.
+```