auth/aws: Make disallow_reauthentication and allow_instance_migration mutually exclusive #3291
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… mutually exclusive The semantics of disallow_reauthentication and allow_instance_migration are mutually exclusive; the former says to never allow reauthentication while the latter says to relax the conditions under which you allow reauthentication. disallow_reauthentication takes precedence upon login time, but it is probably better UX to call out to users at role CRUD time that the role they are creating has contradictory semantics.
joelthompson
force-pushed
the
aws_auth_role_mutex
branch
from
3194a57 to
ef6ca2c
Compare
jefferai
approved these changes
Nov 6, 2017
|
Thanks! |
chrishoffman
pushed a commit
that referenced
this pull request
Nov 7, 2017
* oss/master: (30 commits) Handle 'not supplied' case for field type TypeNameString (#3546) Fix deprecated cassandra backend tests (#3543) changelog++ auth/aws: Make disallow_reauthentication and allow_instance_migration mutually exclusive (#3291) changelog++ More Mount Conflict Detection (#2919) Fix swallowed errors in TestRollbackManager_Join() (#3327) changelog++ added AWS enpoint handling (#3416) Seal wrap all root tokens and their leases (#3540) Return group memberships of entity during read (#3526) Add note on support for using rec keys on /sys/rekey (#3517) Add third party tools list to website (#3488) Minor client refactoring (#3539) changelog++ Add PKCS8 marshaling to PKI (#3518) Update SSH list roles docs (#3536) Update gocql dep changelog++ Return role info for each role on pathRoleList (#3532) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I was browsing through the Vault docs and source code (as I am wont to do...) and realized this was a small thing.
The semantics of disallow_reauthentication and allow_instance_migration
are mutually exclusive; the former says to never allow reauthentication
while the latter says to relax the conditions under which you allow
reauthentication. disallow_reauthentication takes precedence upon login
time, but it is probably better UX to call out to users at role CRUD
time that the role they are creating has contradictory semantics.
The specific way I'm doing this could cause backwards incompatibilities, both in scripts that create/update roles as well as breaking the ability to modify existing roles with both of these set to true. I'm not sure how big of a deal it would be. Instead of erroring out, I could just return a warning and set allow_instance_migration to false; I could also add in code that detects both of these being set to true in an existing role and sets allow_instance_migration to false so I don't break existing roles. For the time being, I went with the simpler approach and would appreciate your feedback on the best way to handle this.
I'm also throwing in some typo fixes in docs from a previous PR :)