-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Panic due to concurrent map writes #4582
Comments
Many thanks for reporting this -- any panic is a bug that should be fixed, and providing the log is super duper helpful. We'll update when we know more. |
Hi there, I think I've figured out the issue but it involves a specific set of circumstances once all policies given to a token are being evaluated together, namely:
Can you confirm/deny? |
Fixes #4582 -- and even if it doesn't, it's the right thing to do
would a wildcard + two exact matches count for
given to tokens that would have been in use right around the time of the crash |
Are you using the
If you are, it would indeed mean that you have three exact matches. |
Indeed we are, so looks like were a match for the circumstances you described |
Great, fix will be in 0.10.2! Thanks! |
Environment:
Vault Config File:
Startup Log Output:
We have only encountered this once, and have not been able to reproduce but we experienced a crash of vault due to a panic around concurrent writes to a map & figured it was worth reporting - link to crash log gist provided in references.
Important Factoids:
The instance that crashed was the active instance in an HA cluster. Since it looks to be around ACL related code it is worth noting that we are using AWS IAM auth to retrieve tokens for lambdas. Probably also worth mentioning that we are also using vault to manage credentials for RabbitMQ through the RabbitMQ secrets engine, credentials for MySQL through the database secrets engine and IAM credentials through the AWS secrets engine.
References:
Crash log: https://gist.github.com/jonsabados/712c915c992c925a66f4d4f66e7fbd68
The text was updated successfully, but these errors were encountered: