openbao icon indicating copy to clipboard operation
openbao copied to clipboard

Published 20 hours ago verified publisher icon openbao

OpenBao doesn't recognize valid Vault HVS tokens

Open AdrianAbraham opened this issue 1 year ago • 2 comments
trafficstars

Describe the bug OpenBao doesn't recognize valid existing Vault tokens.

More specifically, Vault versions since 1.10 issue "hvs" tokens while OpenBao issues — and only seems to recognize — the pre-1.10 "s" tokens.

Any attempt to use an hvs token produces:

Error making API request.

URL: GET <the url>
Code: 500. Errors:

* error performing token check: failed to look up namespace from the token: no namespace

To Reproduce

  1. Log into Vault and receive an hvs token
  2. Shut down Vault and run OpenBao against the same data folder
  3. Attempt to perform any operation using the Vault token
  4. See error

Expected behavior Existing Vault tokens should continue to work in OpenBao. Failing that, the error should clearly communicate that Vault tokens aren't valid and that existing tokens need to be regenerated.

Environment:

  • OpenBao Server Version (retrieve with bao status): 2.0.0-alpha20240329
  • OpenBao CLI Version (retrieve with bao version): 2.0.0-alpha20240329
  • Server Operating System/Architecture: Fedora 39 / x86_64

AdrianAbraham avatar Apr 17 '24 12:04 AdrianAbraham

We might want to have a discussion as a community about this one later, perhaps at this week's call @naphelps.

One of the reasons why I wanted to remove this is that the SSCT format contains extra information that isn't necessary: it contains cross-cluster WAL indices, so that requests to multiple Performance Secondary clusters can be rejected or retried until the cluster is up-to-date with some state.

While nice, we do not, and likely will not, have multiple clusters and thus will not require this.

Thus the conversation could revolve around, do we want to keep this around forever (for migration purposes) or drop it after GA for the next major release and if so, what mitigations are OK? Can we err with a more helpful message that SSCTs aren't accepted and fail? Or should we attempt to support read-only SSCTs and strictly generate new (old, non-SSCT format) tokens?

Given now is alpha->GA, perhaps breaking SSCTs now is a better time to make this change and handle the breakage as @AdrianAbraham commented on #openbao-general:

Any chance we can get a "Sorry, OpenBao doesn't support Vault tokens" error instead of the "no namespace" error?

Edit: some notes on cleaner removal semantics:

  • Cleaner error message when an old format token is used.
  • We'll want to validate tidy removal works.
  • Leases are (sometimes) bound to token expiry; are we expecting to re-issue everything?

Other considerations?

cipherboy avatar Apr 17 '24 12:04 cipherboy

Adding to the agenda.

naphelps avatar Apr 17 '24 13:04 naphelps