Vault-2257: don't log token error on DR Secondary (#13137)

* don't log token error on DR Secondary * stop gauge collector expiration errors on dr secondary * don't check dr secondary for token create * see if CI hits panic * Revert "don't check dr secondary for token create" This reverts commit c036a1a544d3a20d29d046f1ee239ab1563ce4d9. * don't check dr secondary for token create * Revert "see if CI hits panic" This reverts commit 1e15aa535cac6e4d1684aaf47c8746c094068eb8. * remove condition on log
2021-11-17 09:21:54 -07:00 · 2021-11-17 09:21:54 -07:00 · 3458c22df0
parent 46adcccfea
commit 3458c22df0
3 changed files with 22 additions and 2 deletions
--- a/vault/core_metrics.go
+++ b/vault/core_metrics.go
@ -136,6 +136,11 @@ func (c *Core) metricsLoop(stopCh chan struct{}) {
 // TokenStore; there is one per method because an additional level of abstraction
 // seems confusing.
 func (c *Core) tokenGaugeCollector(ctx context.Context) ([]metricsutil.GaugeLabelValues, error) {
+	if c.IsDRSecondary() {
+		// there is no expiration manager on DR Secondaries
+		return []metricsutil.GaugeLabelValues{}, nil
+	}
+
 	// stateLock or authLock protects the tokenStore pointer
 	c.stateLock.RLock()
 	ts := c.tokenStore
@ -147,6 +152,11 @@ func (c *Core) tokenGaugeCollector(ctx context.Context) ([]metricsutil.GaugeLabe
 }

 func (c *Core) tokenGaugePolicyCollector(ctx context.Context) ([]metricsutil.GaugeLabelValues, error) {
+	if c.IsDRSecondary() {
+		// there is no expiration manager on DR Secondaries
+		return []metricsutil.GaugeLabelValues{}, nil
+	}
+
 	c.stateLock.RLock()
 	ts := c.tokenStore
 	c.stateLock.RUnlock()
@ -168,6 +178,11 @@ func (c *Core) leaseExpiryGaugeCollector(ctx context.Context) ([]metricsutil.Gau
 }

 func (c *Core) tokenGaugeMethodCollector(ctx context.Context) ([]metricsutil.GaugeLabelValues, error) {
+	if c.IsDRSecondary() {
+		// there is no expiration manager on DR Secondaries
+		return []metricsutil.GaugeLabelValues{}, nil
+	}
+
 	c.stateLock.RLock()
 	ts := c.tokenStore
 	c.stateLock.RUnlock()
@ -178,6 +193,11 @@ func (c *Core) tokenGaugeMethodCollector(ctx context.Context) ([]metricsutil.Gau
 }

 func (c *Core) tokenGaugeTtlCollector(ctx context.Context) ([]metricsutil.GaugeLabelValues, error) {
+	if c.IsDRSecondary() {
+		// there is no expiration manager on DR Secondaries
+		return []metricsutil.GaugeLabelValues{}, nil
+	}
+
 	c.stateLock.RLock()
 	ts := c.tokenStore
 	c.stateLock.RUnlock()
--- a/vault/dynamic_system_view.go
+++ b/vault/dynamic_system_view.go
@ -65,7 +65,7 @@ func (e extendedSystemViewImpl) SudoPrivilege(ctx context.Context, path string,
 	// Resolve the token policy
 	te, err := e.core.tokenStore.Lookup(ctx, token)
 	if err != nil {
-		e.core.logger.Error("failed to lookup token", "error", err)
+		e.core.logger.Error("failed to lookup sudo token", "error", err)
 		return false
 	}

--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@ -141,7 +141,7 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
 		var err error
 		te, err = c.tokenStore.Lookup(ctx, req.ClientToken)
 		if err != nil {
-			c.logger.Error("failed to lookup token", "error", err)
+			c.logger.Error("failed to lookup acl token", "error", err)
 			return nil, nil, nil, nil, ErrInternalError
 		}
 		// Set the token entry here since it has not been cached yet