spring-vault icon indicating copy to clipboard operation
spring-vault copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Introduce interface to calculate remaining validity and renewal for a Lease using `SecretLeaseContainer`

Open yuandongjian opened this issue 1 year ago • 3 comments

expiryThreshold is shared by minRenewal, It is difficult to assess how much minRenewal should be set

renewed.getLeaseDuration().getSeconds() < this.minRenewal.getSeconds()

https://github.com/spring-projects/spring-vault/blob/afdbdd67f1018634a536fa4e0f60a52d37b1860c/spring-vault-core/src/main/java/org/springframework/vault/core/lease/SecretLeaseContainer.java#L594C5-L594C5

yuandongjian avatar Aug 17 '23 10:08 yuandongjian

Care to elaborate on what you're planning to achieve? Please provide more detail and context so that we can understand what you're up to.

mp911de avatar Aug 17 '23 13:08 mp911de

Here is my code.

    class VaultForJdbc {
        private static SecretLeaseContainer secretLeaseContainer;

        static {
            VaultTemplate vaultTemplate = new VaultTemplate(VaultEndpoint.create("http://127.0.0.1", 1234));
            SecretLeaseContainer secretLeaseContainer = new SecretLeaseContainer(vaultTemplate);
            secretLeaseContainer.afterPropertiesSet();
            secretLeaseContainer.start();
            VaultForJdbc.secretLeaseContainer = secretLeaseContainer;
        }
        
        private static Map<RequestedSecret, LeaseAwareVaultPropertySource> map = new ConcurrentHashMap<>();
        
        public static LeaseAwareVaultPropertySource requestSecret(RequestedSecret requestedSecret) {
            return map.computeIfAbsent(requestedSecret, k -> new LeaseAwareVaultPropertySource(secretLeaseContainer, requestedSecret));
        }
    }

    public static void main(String[] args) {
        LeaseAwareVaultPropertySource propertySource = VaultForJdbc.requestSecret(RequestedSecret.rotating("/database/readwrite"));
        Object username = propertySource.getProperty("username");
        Object password = propertySource.getProperty("password");
    }

minRenewal is used in two pieces of code.

  1. Sets the amount of seconds that is at least required before renewing a lease.
  2. Ttl threshold of the valid lease

SecretLeaseContainer whether can like LifecycleAwareSessionManagerSupport. RefreshTrigger, Open for users to configure nextExecutionTime and getValidTtlThreshold?

yuandongjian avatar Aug 18 '23 02:08 yuandongjian

If a sockettimeout is displayed, The default leaseStrategy is drop, but onLeaseExpired(requestedSecret, lease) is not executed after drop. Note Rescheduling can only be triggered by the user rotate, which affects the execution time of the user. if leaseStrategy is retainOnIoError, doRenewLease will return the original lease with no change in leaseDuration, resulting in a high probability that the calculation for the next execution cycle is wrong.

https://github.com/spring-projects/spring-vault/blob/61ca991ba4ec8b54a728899d3460f1e9076e90de/spring-vault-core/src/main/java/org/springframework/vault/core/lease/SecretLeaseContainer.java#L680

yuandongjian avatar Aug 18 '23 03:08 yuandongjian