custodia icon indicating copy to clipboard operation
custodia copied to clipboard

Published 20 hours ago verified publisher icon latchset

Update secrets in place

Open tiran opened this issue 9 years ago • 4 comments

Custodia has no HTTP method to update a secret in place. Secrets must be deleted first with DELETE and then re-added with PUT. For integration with another system I need an add-or-update API.

tiran avatar Aug 29 '16 13:08 tiran

We can probably allow a PUT with a query option to indicate we want to replace, or just simply always allow to replace.

simo5 avatar Aug 29 '16 13:08 simo5

Which variant do you prefer as default?

In the long run it might be useful to have compare-and-swap feature. For some storage engines CAS can be implemented atomic, e.g. SQL.

tiran avatar Sep 12 '16 12:09 tiran

Replace is probably the better semantic, otherwise 2 concurrent clients can end up stomping on each other.

simo5 avatar Sep 12 '16 14:09 simo5

I am tempted to say we want CAS, but probably a simple replace is fine, as long as at all times the secret actually "exists", I want to avoid the case where client 1 deletes the secret, and before it recreates it client 2 checks for existence, does not find it and does something we do not want it to do.

simo5 avatar Sep 12 '16 14:09 simo5