secrets tune options argument for kv v2 destroys all data and bump down to kv v1 if inappropriate options are supplied

[saipranav]

Environment:
Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic

Vault v0.11.0 ('87492f9258e0227f3717e3883c6a8be5716bf564')

Vault Config File:
server dev mode

Startup Log Output:

$ vault server -dev
==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
                 Storage: inmem
                 Version: Vault v0.11.0
             Version Sha: 87492f9258e0227f3717e3883c6a8be5716bf564

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://127.0.0.1:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: jb6nN92xgrHvMuZfJWqsUcq7p5fAnMYdFriLUzER93g=
Root Token: 2b116ebe-2552-a0da-666d-1f28ae436d64

Development mode should NOT be used in production installations!

==> Vault server started! Log data will stream in below:

2018-08-31T16:22:34.783Z [INFO ] core: security barrier not initialized
2018-08-31T16:22:34.783Z [INFO ] core: security barrier initialized: shares=1 threshold=1
2018-08-31T16:22:34.783Z [INFO ] core: post-unseal setup starting
2018-08-31T16:22:34.798Z [INFO ] core: loaded wrapping token key
2018-08-31T16:22:34.798Z [INFO ] core: successfully setup plugin catalog: plugin-directory=
2018-08-31T16:22:34.798Z [INFO ] core: no mounts; adding default mount table
2018-08-31T16:22:34.799Z [INFO ] core: successfully mounted backend: type=kv path=secret/
2018-08-31T16:22:34.800Z [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2018-08-31T16:22:34.800Z [INFO ] core: successfully mounted backend: type=system path=sys/
2018-08-31T16:22:34.800Z [INFO ] core: successfully mounted backend: type=identity path=identity/
2018-08-31T16:22:34.801Z [INFO ] core: restoring leases
2018-08-31T16:22:34.803Z [INFO ] rollback: starting rollback manager
2018-08-31T16:22:34.804Z [INFO ] expiration: lease restore complete
2018-08-31T16:22:34.805Z [INFO ] identity: entities restored
2018-08-31T16:22:34.805Z [INFO ] identity: groups restored
2018-08-31T16:22:34.805Z [INFO ] core: post-unseal setup complete
2018-08-31T16:22:34.805Z [INFO ] core: root token generated
2018-08-31T16:22:34.805Z [INFO ] core: pre-seal teardown starting
2018-08-31T16:22:34.805Z [INFO ] core: cluster listeners not running
2018-08-31T16:22:34.805Z [INFO ] rollback: stopping rollback manager
2018-08-31T16:22:34.805Z [INFO ] core: pre-seal teardown complete
2018-08-31T16:22:34.805Z [INFO ] core: vault is unsealed
2018-08-31T16:22:34.805Z [INFO ] core: post-unseal setup starting
2018-08-31T16:22:34.805Z [INFO ] core: loaded wrapping token key
2018-08-31T16:22:34.805Z [INFO ] core: successfully setup plugin catalog: plugin-directory=
2018-08-31T16:22:34.806Z [INFO ] core: successfully mounted backend: type=kv path=secret/
2018-08-31T16:22:34.806Z [INFO ] core: successfully mounted backend: type=system path=sys/
2018-08-31T16:22:34.807Z [INFO ] core: successfully mounted backend: type=identity path=identity/
2018-08-31T16:22:34.807Z [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2018-08-31T16:22:34.807Z [INFO ] core: restoring leases
2018-08-31T16:22:34.807Z [INFO ] rollback: starting rollback manager
2018-08-31T16:22:34.808Z [INFO ] identity: entities restored
2018-08-31T16:22:34.808Z [INFO ] identity: groups restored
2018-08-31T16:22:34.808Z [INFO ] core: post-unseal setup complete
2018-08-31T16:22:34.808Z [INFO ] expiration: lease restore complete
2018-08-31T16:22:34.808Z [INFO ] core: mount tuning of options: path=secret/ options=map[version:2]
2018-08-31T16:22:34.809Z [INFO ] secrets.kv.kv_483e792c: collecting keys to upgrade
2018-08-31T16:22:34.809Z [INFO ] secrets.kv.kv_483e792c: done collecting keys: num_keys=1
2018-08-31T16:22:34.809Z [INFO ] secrets.kv.kv_483e792c: upgrading keys finished
2018-08-31T16:30:06.522Z [INFO ] core: successful mount: path=kv/ type=kv
2018-08-31T16:30:06.522Z [INFO ] secrets.kv.kv_cfa3e574: collecting keys to upgrade
2018-08-31T16:30:06.522Z [INFO ] secrets.kv.kv_cfa3e574: done collecting keys: num_keys=1
2018-08-31T16:30:06.522Z [INFO ] secrets.kv.kv_cfa3e574: upgrading keys finished
2018-08-31T16:30:19.793Z [INFO ] core: successfully unmounted: path=kv/
2018-08-31T16:30:31.870Z [INFO ] core: successful mount: path=kv/ type=kv
2018-08-31T16:30:31.871Z [INFO ] secrets.kv.kv_846b15dc: collecting keys to upgrade
2018-08-31T16:30:31.873Z [INFO ] secrets.kv.kv_846b15dc: done collecting keys: num_keys=1
2018-08-31T16:30:31.873Z [INFO ] secrets.kv.kv_846b15dc: upgrading keys finished
2018-08-31T16:32:29.616Z [INFO ] core: mount tuning of options: path=kv/ options=map[max_version:3]

Expected Behavior:
I want to change max_version of version 2 kv secret engine. If I have used a wrong command vault should return the error or ignore the arguments

Actual Behavior:
It deleted all data for a secret engine in a path. Changed from version 2 to version 1 kv engine.

Found that to tune the configuration of kv engine for version 2

vault write kv/config max_versions=4
Success! Data written to: kv/config

Steps to Reproduce:

$ vault secrets enable -version=2 kv
Success! Enabled the kv secrets engine at: kv/

$ vault kv put kv/something v=1
Key              Value
---              -----
created_time     2018-08-31T16:31:14.079225482Z
deletion_time    n/a
destroyed        false
version          1

$ vault kv put kv/something v=2
Key              Value
---              -----
created_time     2018-08-31T16:31:20.353116305Z
deletion_time    n/a
destroyed        false
version          2

$ vault kv get -version=1 kv/something
====== Metadata ======
Key              Value
---              -----
created_time     2018-08-31T16:31:14.079225482Z
deletion_time    n/a
destroyed        false
version          1

== Data ==
Key    Value
---    -----
v      1

$ vault secrets tune -options=max_version=3 /kv
Success! Tuned the secrets engine at: kv/

vault kv get -version=1 kv/something
No value found at kv/something

$ vault kv metadata get kv/
\Metadata not supported on KV Version 1

Important Factoids:
Using vagrant ubuntu/bionic64.
Vagrant Installed Version: 2.1.2
Vagrant Latest Version: 2.1.4

Issue still persists in non vagrant environments

[jefferai]

I looked at logical_system and don't think the tune function is actually the right place to handle this, because doing so would essentially lock the "version" field to the kv plugin. If possible, I think on creation kv plugin should try to check what mode it's currently in, then evaluate what to do based on the option value, with anything other than 1 or 2 meaning "don't change anything at all", and if the current version can't be determined, error.

Less ideal I guess would be to put a default case into the switch statement in the kv factory (which really should probably be there anyways) and and bail on anything not 1 or 2, but I think if it's not acting as a plugin then it might? cause Vault not to postunseal?

[catsby]

Hello - I opened #5788 to address this