-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add warning when generate_lease=no_store=true when writing PKI role #14292
Add warning when generate_lease=no_store=true when writing PKI role #14292
Conversation
When no_store=true, the value of generate_lease is ignored completely (and set to false). This means that when generate_lease=true is specified by the caller of the API, it is silently swallowed. While changing the behavior could break callers, setting a warning on the response (changing from a 204->200 in the process) seems to make the most sense. Signed-off-by: Alexander Scheel <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm!
Signed-off-by: Alexander Scheel <[email protected]>
Thanks for the review @stevendpclark! |
@@ -644,6 +645,10 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data | |||
// no_store implies generate_lease := false | |||
if entry.NoStore { | |||
*entry.GenerateLease = false | |||
if data.Get("generate_lease").(bool) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to return an error when both options are set to true?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The docs have mentioned since the introduction of the no_store
option that no_store=true
sets generate_lease=false
(regardless of its value), so I don't think we can necessarily make a breaking change at this point in time (which erring out would be). However, emitting a warning is the next best thing we can do for the time being. :-)
A future Vault v2 version potentially could make that change, or perhaps an equivalent amount of time with the warning. I dunno. But at least as it stands, we'd risk breaking people's existing e.g., Terraform definitions if we made that change now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The nice thing is a quick search shows that no public Terraform users seem to have made this mistake, but some use variables that could potentially be overridden to have the undesired behavior. Plus, I'd venture that most Terraform users keep their stuff private.
When
no_store=true
, the value ofgenerate_lease
is ignored completely(and set to false). This means that when
generate_lease=true
isspecified by the caller of the API, it is silently swallowed. While
changing the behavior could break callers, setting a warning on the
response (changing from a 204->200 in the process) seems to make the
most sense.
Signed-off-by: Alexander Scheel <[email protected]>
This probably isn't that important (and can wait for 1.10 branching). I found it when looking at the docs around #14286 and thought it was interesting.
Can be tested with something like: