OpenAPI generic_mount_paths follow-up
#18663
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
An incremental improvement within larger context discussed in hashicorp#18560. * Following the revert in hashicorp#18617, re-introduce the change from `{mountPath}` to `{<path-of-mount>_mount_path}`; this is needed, as otherwise paths from multiple plugins would clash - e.g. almost every auth method would provide a conflicting definition for `auth/{mountPath}/login`, and the last one written into the map would win. * Move the half of the functionality that was in `sdk/framework/` to `vault/logical_system.go` with the rest; this is needed, as `sdk/framework/` gets compiled in to externally built plugins, and therefore there may be version skew between it and the Vault main code. Implementing the `generic_mount_paths` feature entirely on one side of this boundary frees us from problems caused by this. * Update the special exception that recognizes `system` and `identity` as singleton mounts to also include the other two singleton mounts, `cubbyhole` and `auth/token`. * Include a comment that documents to restricted circumstances in which the `generic_mount_paths` option makes sense to use: // Note that for this to actually be useful, you have to be using it with // a Vault instance in which you have mounted one of each secrets engine // and auth method of types you are interested in, at paths which identify // their type, and for the KV secrets engine you will probably want to // mount separate kv-v1 and kv-v2 mounts to include the documentation for // each of those APIs.
averche
reviewed
Jan 12, 2023
| // hardcoded default paths. For example /auth/approle/login would be replaced | ||
| // with /auth/{mountPath}/login. This will be replaced for all secrets | ||
| // engines and auth methods that are enabled. | ||
| genericMountPaths, _ := req.Get("genericMountPaths").(bool) |
There was a problem hiding this comment.
Thanks for removing this! 🎉
Comment on lines
+4514
to
+4515
| // mount separate kv-v1 and kv-v2 mounts to include the documentation for | ||
| // each of those APIs. |
There was a problem hiding this comment.
"documentation" might be a bit confusing especially with "will primarily be used for code generation purposes" mentioned above.
|
Thank you very much for implementing this! I really like the idea of moving the mount-path-specific code out of
This is a great fix too! I tried running "/auth/{alicloud_mount_path}/login": {
"description": "Authenticates an RAM entity with Vault.",
"parameters": [
{
"name": "alicloud_mount_path",
"description": "Path that the backend was mounted at",
"in": "path",
"schema": {
"type": "string" // needs a default value
},
"required": true // needs to be false for generators to work properly
}
],
"x-vault-unauthenticated": true,
"post": {
"summary": "Authenticates an RAM entity with Vault.",
"operationId": "postAuthAlicloud_mount_pathLogin", // will need to fix this, possibly as part of #18321
"tags": [
"auth"
],
|
averche
approved these changes
Jan 12, 2023
|
It appears some mount-path-related tests are currently failing, probably need to be updated. |
Also remove comment "// TODO update after kv repo update" which was added 4 years ago in hashicorp#5687 - the implied update has not happened.
|
Ah, yes - test expectations now updated accordingly. |
|
Thanks! Could you please add a changelog file and we can merge this one. |
|
Changelog added ... it's a bit long, but there's quite a lot going on here! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
An incremental improvement within larger context discussed in #18560.
Following the revert in Revert "Add mount path into the default generated openapi.json spec (#17926)" #18617, re-introduce the change from
{mountPath}to{<path-of-mount>_mount_path}; this is needed, as otherwise paths from multiple plugins would clash - e.g. almost every auth method would provide a conflicting definition forauth/{mountPath}/login, and the last one written into the map would win.Move the half of the functionality that was in
sdk/framework/tovault/logical_system.gowith the rest; this is needed, assdk/framework/gets compiled in to externally built plugins, and therefore there may be version skew between it and the Vault main code. Implementing thegeneric_mount_pathsfeature entirely on one side of this boundary frees us from problems caused by this.Update the special exception that recognizes
systemandidentityas singleton mounts to also include the other two singleton mounts,cubbyholeandauth/token.Include a comment that documents to restricted circumstances in which the
generic_mount_pathsoption makes sense to use: