Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

token store expiration failed to revoke non SSCT (missing cubbyhole ID) #18304

Closed
shaj13 opened this issue Dec 11, 2022 · 1 comment · Fixed by #19416
Closed

token store expiration failed to revoke non SSCT (missing cubbyhole ID) #18304

shaj13 opened this issue Dec 11, 2022 · 1 comment · Fixed by #19416
Labels
bug Used to indicate a potential bug core/token

Comments

@shaj13
Copy link
Contributor

shaj13 commented Dec 11, 2022

Describe the bug
Vault Server unable to revoke old tokens (27 bytes) non SSCT.
2022-12-05T20:27:51.825Z [ERROR] expiration: failed to revoke lease: lease_id=auth/cert/login/h6d0772972fd1601be0b77048fb70dd7bb217982fefd4f0eb41c2fba8b49bc188 error="failed to revoke token: failed to revoke entry: missing cubbyhole ID while destroying"

To Reproduce

  1. Run Vault server and set VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS to true
  2. vault login
  3. vault auth enable cert
  4. vault write auth/cert/certs/web
    display_name=web
    policies=web,prod
    [email protected]
    ttl=60
  5. Run multiple login curl -k https://localhost:8200/v1/auth/cert/login -X POST --cert ./web-cert.pem --key ./web-key.pem | jq
  6. wait a 1-2 min
  7. check the logs
  8. [ERROR] expiration: failed to revoke lease: lease_id=auth/cert/login *****

Expected behavior
token revoked, without any error
For example
2022-12-11T20:22:27.714Z [INFO] expiration: revoked lease: lease_id=auth/cert/login/h2e1b24fb284004483ea5110449916305107dd93387a5edeec7b5e141d10802cf

Environment:

  • Vault Server Version (retrieve with vault status):
    Key Value

Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.12.2
Storage Type postgresql

  • Vault CLI Version (retrieve with vault version):
    Vault v1.12.2
  • Server Operating System/Architecture:
    docker ubuntu image

/etc/os-release
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Vault server configuration file(s):

listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/tmp/vault.pem"
  tls_key_file  = "/tmp/vault-key.pem"
  tls_disable   = 0
}

api_addr     = "https://0.0.0.0:8200"
cluster_addr = "https://0.0.0.0:8201"

storage "postgresql" {
  connection_url = "*******"
  ha_enabled     = false
}
@heatherezell heatherezell added bug Used to indicate a potential bug core/token labels Dec 12, 2022
@Kardi5
Copy link

Kardi5 commented Feb 27, 2023

I have been hitting the exact same bug. I also have SSCT disabled and initially noticed the bug due to an increase in memory consumption for the Consul storage backend. consul snapshot inspect showed about 500k old Vault leases. The number of leases was confirmed via the Vault web UI.

@hsimon-hashicorp Neither revoke nor force revoke work as both complain about the missing cubbyhole ID. Any pointers how to delete the old leases and free up memory/storage despite the errors?

@nsimons nsimons mentioned this issue Mar 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug core/token
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix cubbyhole and token revocation for legacy service tokens Nordix/vault
3 participants
@Kardi5 @shaj13 @heatherezell