Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VAULT 2844: remove legacy lease revocation strategy #12888

Merged
merged 5 commits into from Oct 22, 2021
Merged

VAULT 2844: remove legacy lease revocation strategy #12888

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
02022f4
remove legacy lease revocation strategy
swayne275 Oct 20, 2021
f7b368d
add deprecation change log note
swayne275 Oct 20, 2021
7942aaf
Merge branch 'main' into vault-2844_remove-legacy-revocation-strategy
swayne275 Oct 22, 2021
c6dc9f5
remove VAULT_16_REVOKE_PERMITPOOL
swayne275 Oct 22, 2021
ade304c
update changelog
swayne275 Oct 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions changelog/12888.txt
View file
Open in desktop
@@ -0,0 +1,4 @@
```release-note:deprecation
expiration: VAULT_LEASE_USE_LEGACY_REVOCATION_STRATEGY environment variable is
swayne275 marked this conversation as resolved.
Show resolved Hide resolved
no longer available.
```
9 changes: 1 addition & 8 deletions vault/core.go
View file
Open in desktop
Expand Up @@ -14,7 +14,6 @@ import (
"net"
"net/http"
"net/url"
"os"
"path/filepath"
"strings"
"sync"
Expand Down Expand Up @@ -2037,13 +2036,7 @@ func (s standardUnsealStrategy) unseal(ctx context.Context, logger log.Logger, c
if err := c.startRollback(); err != nil {
return err
}
var expirationStrategy ExpireLeaseStrategy
if os.Getenv("VAULT_LEASE_USE_LEGACY_REVOCATION_STRATEGY") != "" {
expirationStrategy = expireLeaseStrategyRevoke
} else {
expirationStrategy = expireLeaseStrategyFairsharing
}
if err := c.setupExpiration(expirationStrategy); err != nil {
if err := c.setupExpiration(expireLeaseStrategyFairsharing); err != nil {
return err
}
if err := c.loadAudits(ctx); err != nil {
Expand Down
56 changes: 0 additions & 56 deletions vault/expiration.go
View file
Open in desktop
Expand Up @@ -295,62 +295,6 @@ func revokeExponentialBackoff(attempt uint8) time.Duration {
return time.Duration(backoffTime)
}

// revokeIDFunc is invoked when a given ID is expired
func expireLeaseStrategyRevoke(ctx context.Context, m *ExpirationManager, leaseID string, ns *namespace.Namespace) {
for attempt := uint(0); attempt < maxRevokeAttempts; attempt++ {
releasePermit := func() {}
if m.revokePermitPool != nil {
m.logger.Trace("expiring lease; waiting for permit pool")
m.revokePermitPool.Acquire()
releasePermit = m.revokePermitPool.Release
m.logger.Trace("expiring lease; got permit pool")
}

metrics.IncrCounterWithLabels([]string{"expire", "lease_expiration"}, 1, []metrics.Label{{"namespace", ns.ID}})

revokeCtx, cancel := context.WithTimeout(ctx, DefaultMaxRequestDuration)
revokeCtx = namespace.ContextWithNamespace(revokeCtx, ns)

go func() {
select {
case <-ctx.Done():
case <-m.quitCh:
cancel()
case <-revokeCtx.Done():
}
}()

select {
case <-m.quitCh:
m.logger.Error("shutting down, not attempting further revocation of lease", "lease_id", leaseID)
releasePermit()
cancel()
return
case <-m.quitContext.Done():
m.logger.Error("core context canceled, not attempting further revocation of lease", "lease_id", leaseID)
releasePermit()
cancel()
return
default:
}

m.coreStateLock.RLock()
err := m.Revoke(revokeCtx, leaseID)
m.coreStateLock.RUnlock()
releasePermit()
cancel()
if err == nil {
return
}

metrics.IncrCounterWithLabels([]string{"expire", "lease_expiration", "error"}, 1, []metrics.Label{{"namespace", ns.ID}})

m.logger.Error("failed to revoke lease", "lease_id", leaseID, "error", err)
time.Sleep((1 << attempt) * revokeRetryBase)
}
m.logger.Error("maximum revoke attempts reached", "lease_id", leaseID)
}

func getNumExpirationWorkers(c *Core, l log.Logger) int {
numWorkers := c.numExpirationWorkers

Expand Down
18 changes: 4 additions & 14 deletions vault/expiration_test.go
View file
Open in desktop
Expand Up @@ -36,11 +36,11 @@ func mockExpiration(t testing.TB) *ExpirationManager {
// Wait until the expiration manager is out of restore mode.
// This was added to prevent sporadic failures of TestExpiration_unrecoverableErrorMakesIrrevocable.
timeout := time.Now().Add(time.Second * 10)
for c.expiration.inRestoreMode() {
for c.expiration.inRestoreMode() {
if time.Now().After(timeout) {
t.Fatal("ExpirationManager is still in restore mode after 10 seconds")
}
time.Sleep(50*time.Millisecond)
time.Sleep(50 * time.Millisecond)
}

return c.expiration
Expand Down Expand Up @@ -2181,9 +2181,7 @@ func TestExpiration_renewEntry(t *testing.T) {
}
}

func revokeEntryRejectedCore(t *testing.T, e ExpireLeaseStrategy) {
t.Helper()

func TestExpiration_revokeEntry_rejected_fairsharing(t *testing.T) {
core, _, _ := TestCoreUnsealed(t)
exp := core.expiration

Expand Down Expand Up @@ -2250,7 +2248,7 @@ func revokeEntryRejectedCore(t *testing.T, e ExpireLeaseStrategy) {
t.Fatal(err)
}

err = core.setupExpiration(e)
err = core.setupExpiration(expireLeaseStrategyFairsharing)
if err != nil {
t.Fatal(err)
}
Expand All @@ -2275,14 +2273,6 @@ func revokeEntryRejectedCore(t *testing.T, e ExpireLeaseStrategy) {
}
}

func TestExpiration_revokeEntry_rejected_revoke(t *testing.T) {
revokeEntryRejectedCore(t, expireLeaseStrategyRevoke)
}

func TestExpiration_revokeEntry_rejected_fairsharing(t *testing.T) {
revokeEntryRejectedCore(t, expireLeaseStrategyFairsharing)
}

func TestExpiration_renewAuthEntry(t *testing.T) {
exp := mockExpiration(t)

Expand Down