diff --git a/changelog/13476.txt b/changelog/13476.txt new file mode 100644 index 000000000000..d5b8af05729c --- /dev/null +++ b/changelog/13476.txt @@ -0,0 +1,3 @@ +```release-note:bug +core/identity: Address a data race condition between local updates to aliases and invalidations +``` diff --git a/vault/identity_store.go b/vault/identity_store.go index f948771fc55c..96643170d820 100644 --- a/vault/identity_store.go +++ b/vault/identity_store.go @@ -751,7 +751,7 @@ func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical. } // Check if an entity already exists for the given alias - entity, err = i.entityByAliasFactors(alias.MountAccessor, alias.Name, false) + entity, err = i.entityByAliasFactors(alias.MountAccessor, alias.Name, true) if err != nil { return nil, err } @@ -838,8 +838,7 @@ func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical. } txn.Commit() - - return entity, nil + return entity.Clone() } // changedAliasIndex searches an entity for changed alias metadata. diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go index 4bd9cf402b7d..48716050ea86 100644 --- a/vault/identity_store_util.go +++ b/vault/identity_store_util.go @@ -695,7 +695,7 @@ func (i *IdentityStore) processLocalAlias(ctx context.Context, lAlias *logical.A return nil, fmt.Errorf("mount accessor %q is not local", lAlias.MountAccessor) } - alias, err := i.MemDBAliasByFactors(lAlias.MountAccessor, lAlias.Name, true, false) + alias, err := i.MemDBAliasByFactors(lAlias.MountAccessor, lAlias.Name, false, false) if err != nil { return nil, err }