Being logged out from web UI when accessing specific pages

[denmaddog]

Describe the bug Whenever I try to access following pages from web UI I get logged out: https://example.com:8200/ui/vault/storage/raft https://example.com:8200/ui/vault/clients/current

To Reproduce Steps to reproduce the behavior:

1. Install Vault v1.11.1
2. Login to Vault with root token.
3. Click on any of the following pages: https://example.com:8200/ui/vault/storage/raft https://example.com:8200/ui/vault/clients/current

Expected behavior I should stay logged in.

Environment:

• Vault Server Version (retrieve with vault status): root@vault-node1:~# vault status Key Value

---

Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.11.1 Build Date 2022-07-19T20:16:47Z Storage Type raft Cluster Name vault-cluster-xxxxxx Cluster ID xxxxxxxxxxxxxxxxxxxxxxx HA Enabled true HA Cluster https://vault-node1.example.com:8201 HA Mode active Active Since 2022-08-01T09:27:43.304694342Z Raft Committed Index 1791162 Raft Applied Index 1791162

• Vault CLI Version (retrieve with vault version): root@vault-node1:~# vault version Vault v1.11.1 (0f634755745f4adf62ec0723a0b93d6dce5bc33e), built 2022-07-19T20:16:47Z
• Server Operating System/Architecture: root@vault-node1:~# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"

Vault server configuration file(s):

root@vault-node1:~# cat /etc/vault.d/vault.hcl
storage "raft" {
  path    = "/raft-data/"
  node_id = "node1"

#  retry_join {
#    leader_api_addr = "https://vault-node1.example.com:8200"
#  }

#  retry_join {
#    leader_api_addr = "https://vault-node2.example.com:8200"
#  }

#  retry_join {
#    leader_api_addr = "https://vault-node3.example.com:8200"
#  }

#  retry_join {
#    leader_api_addr = "https://vault-node4.example.com:8200"
#  }
}

listener "tcp" {
  address = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
#  tls_disable = true
  tls_cert_file    = "/etc/vault.d/example.com.crt"
  tls_key_file     = "/etc/vault.d/example.com.key"
}

disable_mlock = true
api_addr = "https://vault-node1.example.com:8200"
cluster_addr = "https://vault-node1.example.com:8201"
ui = true
####################


root@vault-node2:~# cat /etc/vault.d/vault.hcl
storage "raft" {
  path    = "/raft-data/"
  node_id = "node2"

  retry_join {
    leader_api_addr = "https://vault-node1.example.com:8200"
  }

  retry_join {
    leader_api_addr = "https://vault-node3.example.com:8200"
  }

  retry_join {
    leader_api_addr = "https://vault-node4.example.com:8200"
  }

  retry_join {
    leader_api_addr = "https://vault-node5.example.com:8200"
  }
}

listener "tcp" {
  address = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
#  tls_disable = true
  tls_cert_file    = "/etc/vault.d/example.com.crt"
  tls_key_file     = "/etc/vault.d/example.com.key"
}

disable_mlock = true
api_addr = "https://vault-node2.example.com:8200"
cluster_addr = "https://vault-node2.example.com:8201"
ui = true

Raft storage status

root@vault-node1:~# vault operator raft autopilot state Healthy: true Failure Tolerance: 2 Leader: node1 Voters: node1 node2 node3 node4 node5 Servers: node1 Name: node1 Address: vault-node1.example.com:8201 Status: leader Node Status: alive Healthy: true Last Contact: 0s Last Term: 44 Last Index: 1791093 Version: 1.11.1 Node Type: voter node2 Name: node2 Address: vault-node2.example.com:8201 Status: voter Node Status: alive Healthy: true Last Contact: 2.703071021s Last Term: 44 Last Index: 1791093 Version: 1.11.1 Node Type: voter node3 Name: node3 Address: vault-node3.example.com:8201 Status: voter Node Status: alive Healthy: true Last Contact: 1.57763927s Last Term: 44 Last Index: 1791093 Version: 1.11.1 Node Type: voter node4 Name: node4 Address: vault-node4.example.com:8201 Status: voter Node Status: alive Healthy: true Last Contact: 4.066262335s Last Term: 44 Last Index: 1791093 Version: 1.11.1 Node Type: voter node5 Name: node5 Address: vault-node5.example.com:8201 Status: voter Node Status: alive Healthy: true Last Contact: 3.845828797s Last Term: 44 Last Index: 1791093 Version: 1.11.1 Node Type: voter

Additional context Same thing happens on another cluster after updating to Vault v1.11.1.

[denmaddog]

Same issue in Vault v1.11.2.

[aphorise]

Same issue in all current Vault 1.11.3 versions.

@chelshaw @darshanasivakumar any chance this can be remedied by 1.11.4 or thereafter?

[maxb]

This appears to be a combination of factors coming together to produce undesired behaviour:

1. Root tokens are not saved by the UI, so you are immediately logged out if you navigate away or refresh.

2. Those two mentioned links, "Raft Storage" & "Client count", are implemented as full page navigations, unlike just about everything else in the Vault UI, which is an XHR.

I don't know enough about Ember development to be of any further help, but hopefully this observation is enough to put someone else on the right track.

[aphorise]

Related to PR #16983 - that was done for similar reasons / symptoms where in another UI view (KV Secrets view with versions selection) it also behaves the same kicking the user out.

Issue is expected to be resolved by release of 1.12.0 as already noted on the CHANGELOG.md

[denmaddog]

Issue resolved in v1.12.0 for me.