1 error occurred: * alias was not indexed

[decryptus]

Describe the bug
Hi,
When I try to delete a specific entity alias, I have this error:
1 error occurred: * alias was not indexed

No problem with others entities aliases.

To Reproduce
Steps to reproduce the behavior:

1. vault delete identity/entity-alias/id/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
   Error deleting identity/entity-alias/id/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx: Error making API request.

URL: DELETE https://[host]/v1/identity/entity-alias/id/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Code: 500. Errors:

• 1 error occurred:

• alias was not indexed

Expected behavior
Delete this alias.

Environment:

• Vault Server Version (retrieve with vault status): 1.11.1
• Vault CLI Version (retrieve with vault version): Vault v0.10.3
• Server Operating System/Architecture: Linux

Vault server configuration file(s):

{
    "cluster_name": "xxx",
    "ui": "true",
    "listener": {
        "tcp": {
            "address": "xxx:8200",
            "cluster_address": "xxx:8201",
            "tls_disable": "true"
        }
    },
    "storage": {
        "s3": {}
    },
    "ha_storage": {
        "dynamodb": {
            "ha_enabled": "true",
            "table": "xxxxxxx"
    	}
    },
    "default_lease_ttl": "168h",
    "max_lease_ttl": "720h"
}

[vishalnayak]

@decryptus Hi there, I have been unable to reproduce this issue. Is there by any chance you have a way to surface this issue? Are you seeing this problem regularly?

[alexandernst]

I was just hit by the same issue.

Edit: this happens when I try to delete the single alias that my entity has.

[jefferai]

@alexandernst Can you provide any details about how you got into that state? I'm not able to reproduce either:

$ vault auth enable userpass
Success! Enabled userpass auth method at: userpass/

$ vault write auth/userpass/users/jeff password=1234
Success! Data written to: auth/userpass/users/jeff

$ vault login -method=userpass username=jeff password=1234
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  5tJndAqgeWmX83QTQD0I9OFj
token_accessor         4hbJED0mXVZ36mnGjRX4yU3A
token_duration         768h
token_renewable        true
token_policies         ["default"]
identity_policies      []
policies               ["default"]
token_meta_username    jeff

$ vault login root
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                root
token_accessor       2iJiKrZcUyKNlbZr1wQDw9Bt
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

$ vault token lookup 5tJndAqgeWmX83QTQD0I9OFj
Key                 Value
---                 -----
accessor            4hbJED0mXVZ36mnGjRX4yU3A
creation_time       1539614914
creation_ttl        768h
display_name        userpass-jeff
entity_id           21ee757a-c573-2f77-f6b5-15735266b13b
expire_time         2018-11-16T09:48:34.52458142-05:00
explicit_max_ttl    0s
id                  5tJndAqgeWmX83QTQD0I9OFj
issue_time          2018-10-15T10:48:34.524580694-04:00
meta                map[username:jeff]
num_uses            0
orphan              true
path                auth/userpass/login/jeff
policies            [default]
renewable           true
ttl                 767h59m47s

$ vault write identity/lookup/entity id=21ee757a-c573-2f77-f6b5-15735266b13b
Key                    Value
---                    -----
aliases                [map[merged_from_canonical_ids:<nil> mount_accessor:auth_userpass_7c159c29 mount_type:userpass name:jeff canonical_id:21ee757a-c573-2f77-f6b5-15735266b13b creation_time:2018-10-15T14:48:24.779123281Z id:19f8cf50-a3ec-3983-c6b0-7cfe546753cf last_update_time:2018-10-15T14:48:24.779123281Z metadata:<nil> mount_path:auth/userpass/]]
creation_time          2018-10-15T14:48:24.779113653Z
direct_group_ids       []
disabled               false
group_ids              []
id                     21ee757a-c573-2f77-f6b5-15735266b13b
inherited_group_ids    []
last_update_time       2018-10-15T14:48:24.779113653Z
merged_entity_ids      <nil>
metadata               <nil>
name                   entity_ad937955
policies               <nil>

$ vault delete identity/entity-alias/id/19f8cf50-a3ec-3983-c6b0-7cfe546753cf
Success! Data deleted (if it existed) at: identity/entity-alias/id/19f8cf50-a3ec-3983-c6b0-7cfe546753cf

$ vault write identity/lookup/entity id=21ee757a-c573-2f77-f6b5-15735266b13b
Key                    Value
---                    -----
aliases                []
creation_time          2018-10-15T14:48:24.779113653Z
direct_group_ids       []
disabled               false
group_ids              []
id                     21ee757a-c573-2f77-f6b5-15735266b13b
inherited_group_ids    []
last_update_time       2018-10-15T14:48:24.779113653Z
merged_entity_ids      <nil>
metadata               <nil>
name                   entity_ad937955
policies               <nil>

[decryptus]

Hi,
sorry for the late answer.
My problem occurred after an vault upgrade from 0.8.3 to 0.11.1.

entity and entity alias have been automatically created but the alias was missing for only one userpass.

		if aliasToBeRemoved == nil {
			return fmt.Errorf("alias was not indexed")
		}

I patched vault and replaced return by continue to be able to delete entity and entity alias for this userpass.

[alexandernst]

@jefferai I did all the operations from the Web UI

[jefferai]

@vishalnayak from what @decryptus said I can easily imagine there is an old bug that caused some bad entries -- probably that error return should be changed to a warning and continue.

[vishalnayak]

Makes sense. I'll make that change.