Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MFA TOTP is deleted after vault restart #15108

Closed
hennadii2012 opened this issue Apr 21, 2022 · 5 comments
Closed

MFA TOTP is deleted after vault restart #15108

hennadii2012 opened this issue Apr 21, 2022 · 5 comments
Labels
auth/mfa bug Used to indicate a potential bug secret/totp

Comments

@hennadii2012
Copy link

hennadii2012 commented Apr 21, 2022
edited
Loading

Describe the bug
For vault SSO 1.10.0 in docker mfa totp method is deleted after restart all nodes in raft cluster

To Reproduce
Steps to reproduce the behavior:

  1. Run curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data @issuer.json ${VAULT_ADDR}/v1/identity/mfa/method/totp
    content of issuer.json:
    {
    "issuer": "vault",
    "algorithm": "SHA512"
    }

  2. RUN docker stop vault-container-name on all three nodes of raft cluster

  3. RUN docker start vault-container-name on all three nodes of raft cluster

  4. RUN curl --header "X-Vault-Token: $VAULT_TOKEN" --request LIST ${VAULT_ADDR}/v1/identity/mfa/method/totp. It return nothing, but must return methoid from first step

Expected behavior
Return methoid from first step after restarts

Environment:

  • Vault Server Version 1.10.0
  • Vault CLI Version 1.10.0
  • Server Operating System/Architecture: docker (vault:1.10.0) on ubuntu 20.04

Vault server configuration file(s):

storage "raft" {
  path    = "/vault/file"
  node_id = "vault1"


  retry_join {
    leader_tls_servername   = "vault1.example.com"
    leader_api_addr         = "https://vault1.example.com:8200"
    leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
    leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
  }
  retry_join {
    leader_tls_servername   = "vault2.example.com"
    leader_api_addr         = "https://vault2.example.com:8200"
    leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
    leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
  }
  retry_join {
    leader_tls_servername   = "vault3.example.com"
    leader_api_addr         = "https://vault3.example.com:8200"
    leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
    leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
  }
}
listener "tcp" {
  address            = "0.0.0.0:8200"
  cluster_addr       = "0.0.0.0:8201"
  tls_cert_file      = "/opt/vault/tls/vault-cert.pem"
  tls_key_file       = "/opt/vault/tls/vault-key.pem"
  tls_client_ca_file = "/opt/vault/tls/vault-ca.pem"
}
api_addr          = "https://vault1.example.com:8200"
cluster_addr      = "https://vault1.example.com:8201"
ui                = true
disable_mlock     = true
default_lease_ttl = "168h"
max_lease_ttl     = "720h"
log_level         = "Error"
seal "gcpckms" {
  credentials = "/opt/vault/creds.json"
  project     = "project_name"
  region      = "global"
  key_ring    = "keyring"
  crypto_key  = "key-ring"
}
@hennadii2012
Copy link
Author

hennadii2012 commented Apr 26, 2022
edited
Loading

The same problem with version 1.10.1

@danackerson
Copy link

danackerson commented Apr 30, 2022
edited
Loading

and still a problem with version 1.10.2. Corresponding login-enforcements are also deleted (which makes sense as the mfa method can't be deleted as long as it's in use).

@heatherezell heatherezell added the bug Used to indicate a potential bug label May 2, 2022
@hghaf099 hghaf099 mentioned this issue May 3, 2022
Merged
ncabatoff added a commit that referenced this issue May 3, 2022
@ncabatoff
Add upgrade note for #15108.
c1f041c
@ncabatoff
Copy link
Collaborator

Hi @hennadii2012,

Thanks for reporting this issue, sorry it took us a while to respond. We're working on a fix and should have a new release out soon. Note that the methods/enforcements aren't actually deleted, they're just not being loaded at startup, so after upgrading to a release with a fix, you may find you have duplicate methods/enforcements.

@hennadii2012
Copy link
Author

Hi @ncabatoff,
Thank you for the information. I hope fix will decide problem.

ncabatoff added a commit that referenced this issue May 4, 2022
@ncabatoff
Add upgrade note for #15108. (#15275)
b89d857
ncabatoff pushed a commit that referenced this issue May 4, 2022
@hc-github-team-secure-vault-core
Backport of Add upgrade note for #15108. into release/1.10.x (#15284)
4afd420
@hennadii2012
Copy link
Author

The problem is fixed in version 10.0.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth/mfa bug Used to indicate a potential bug secret/totp
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@danackerson @ncabatoff @heatherezell @hennadii2012