Re-enable rollback triggers for auth backends

builtin/credential/aws/backend.go

@@ -108,7 +108,6 @@ func Backend(conf *logical.BackendConfig) (*framework.Backend, error) {
 // Tidying of blacklist and whitelist are by default enabled. This can be
 // changed using `config/tidy/roletags` and `config/tidy/identities` endpoints.
 func (b *backend) periodicFunc(req *logical.Request) error {
-
 	// Run the tidy operations for the first time. Then run it when current
 	// time matches the nextTidyTime.
 	if b.nextTidyTime.IsZero() || !time.Now().UTC().Before(b.nextTidyTime) {

vault/rollback.go

@@ -112,8 +112,12 @@ func (m *RollbackManager) triggerRollbacks() {
 	backends := m.backends()
 
 	for _, e := range backends {
-		if _, ok := m.inflight[e.Path]; !ok {
-			m.startRollback(e.Path)
+		path := e.Path
+		if e.Table == credentialTableType {
+			path = "auth/" + path
+		}
+		if _, ok := m.inflight[path]; !ok {
+			m.startRollback(path)
 		}
 	}
 }
@@ -191,19 +195,11 @@ func (c *Core) startRollback() error {
 		for _, entry := range c.mounts.Entries {
 			ret = append(ret, entry)
 		}
-		// NOTE NOTE NOTE
-		// We cannot do the below this way. Modifying the mount entries leads
-		// to those modified entries being persisted and that's very very bad
-		/*
-			c.authLock.RLock()
-			defer c.authLock.RUnlock()
-			for _, entry := range c.auth.Entries {
-				if !strings.HasPrefix(entry.Path, "auth/") {
-					entry.Path = "auth/" + entry.Path
-				}
-				ret = append(ret, entry)
-			}
-		*/
+		c.authLock.RLock()
+		defer c.authLock.RUnlock()
+		for _, entry := range c.auth.Entries {
+			ret = append(ret, entry)
+		}
 		return ret
 	}
 	c.rollback = NewRollbackManager(c.logger, backendsFunc, c.router)