Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vault 18005 plugin api lock status #21925

Merged
merged 7 commits into from
Jul 31, 2023
Merged

Conversation

ccapurso
Copy link
Contributor

@ccapurso ccapurso commented Jul 18, 2023

The KMIP plugin starts its own listener for which requests are not routed through Vault. Requests to this listener are not subjected to API locking if the KMIP mount resides within a namespace that has been locked. This PR introduces the ability, via the ExtendedSystemView for a plugin to determine if requests to it should be blocked based on the lock status of the namespace within it resides. A separate ENT PR will be opened that adds tests as they will require namespace functionality.

@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Jul 18, 2023
@github-actions
Copy link

CI Results:

All Go tests passed! ✅

@ccapurso ccapurso requested review from cipherboy and ncabatoff July 18, 2023 19:33
Copy link
Contributor

@victorr victorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes look good to me.

Please note I am not very familiar with gRPC.

@ccapurso ccapurso marked this pull request as ready for review July 19, 2023 18:47
@ccapurso ccapurso requested a review from a team July 19, 2023 18:47
@ccapurso ccapurso added this to the 1.14.1 milestone Jul 19, 2023
@ccapurso ccapurso force-pushed the vault-18005-plugin-api-lock-status branch from 169bf95 to 24ec8a8 Compare July 19, 2023 18:51
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@ccapurso ccapurso modified the milestones: 1.14.1, triaged Jul 20, 2023
Copy link
Contributor

@mpalmi mpalmi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed some minor reservations out-of-band relating to the extra boolean abstraction. The design choice was intentionally made to provide a more straightforward method for the caller to consume.

Presumably the StaticSystemView changes are for testing, which was my only other reservation, so I'm going to go ahead and give this a +1.

}
ns := mountEntry.Namespace()

if err := enterpriseBlockRequestIfError(e.core, ns.Path, mountEntry.Path); err != nil {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My only concern with this PR was (I think) that this code was previously only being called with the stateLock held, i.e. as part of regular request handling. Now we're calling it without that lock. From what I can tell that won't be a problem, just calling it out so you're aware, in case it helps with potential future issues.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah right, I forgot about the fact that all locks grab a read lock. The API Lock system has its own lock which is obtained through underlying calls of enterpriseBlockRequestIfError. With that said, I'm not sure if there would be any issue caused by not holding the stateLock. I could easily be missing something though.

@ccapurso ccapurso modified the milestones: triaged, 1.14.2 Jul 31, 2023
@ccapurso ccapurso merged commit c040f90 into main Jul 31, 2023
@ccapurso ccapurso deleted the vault-18005-plugin-api-lock-status branch July 31, 2023 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants