Alexander Scheel
Alexander Scheel
@phyrog Ah, I see where the confusion is. I read that as: > For [the unseal] data this means, we encrypt it twice: first with the namespace encryption key [the...
@phyrog hmm, either way you do it, you need a reference to `parentBarrier` which will already have access to the `Sealed()` method: https://github.com/openbao/openbao/blob/main/vault/barrier.go#L92 So you're not really incurring much different,...
@phyrog Ah, fair. Yes, it should block all requests, even if they don't result in storage operations, except for sealing or unsealing. It really is the equivalent of locked/tainted, in...
> not with additional side-effects, the same pattern is also used for reading, patching, and deleting the namespace Right, I think pulling this path will cause it to 404 before...
@pgnd Is the server running? Note this line in the `bao operator diagnose` [docs](https://openbao.org/docs/commands/operator/diagnose/): > The command can be used safely regardless of the state OpenBao is in, but **may...
@pgnd Ah, missed that part. Hmm, what does `flock` on the `vault.db` file report? Can you lock it or is it locked? Only very rarely does the first one fail:...
I think it is a very useful change to have, but I think we'll need some careful [RFC](https://github.com/openbao/openbao/issues/new?assignees=&labels=rfc%2Cpending-decision&projects=&template=rfc.yml) design work to ensure we're all happy with the results. Happy to...
@JanMa I think a subtoken would be possible, but a lot of existing integrations don't really support that flow, if they support authing directly. If the groups don't do what...
Hmm, I don't like either `mixing_policy` nor `join_rule` as a name for the config option, but let's keep thinking about it. Yes, a RFC would be the next step. Do...
@achetronic one thought: how will explicit `DENY` be handled? I think this should still be applied to the union and even if another policy granted it, we should still have...