diff --git a/changelog/21110.txt b/changelog/21110.txt new file mode 100644 index 000000000..2471fac77 --- /dev/null +++ b/changelog/21110.txt @@ -0,0 +1,4 @@ +```release-note:bug +core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context. +Also fix a related potential deadlock. +``` \ No newline at end of file diff --git a/vault/core.go b/vault/core.go index faf1659bc..9ecf6282a 100644 --- a/vault/core.go +++ b/vault/core.go @@ -361,7 +361,7 @@ type Core struct { // mountsLock is used to ensure that the mounts table does not // change underneath a calling function - mountsLock sync.RWMutex + mountsLock locking.DeadlockRWMutex // mountMigrationTracker tracks past and ongoing remount operations // against their migration ids @@ -373,7 +373,7 @@ type Core struct { // authLock is used to ensure that the auth table does not // change underneath a calling function - authLock sync.RWMutex + authLock locking.DeadlockRWMutex // audit is loaded after unseal since it is a protected // configuration diff --git a/vault/logical_system.go b/vault/logical_system.go index 842ee3014..a332276b9 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -20,7 +20,6 @@ import ( "sort" "strconv" "strings" - "sync" "time" "unicode" @@ -34,6 +33,7 @@ import ( "github.com/hashicorp/vault/helper/experiments" "github.com/hashicorp/vault/helper/hostutil" "github.com/hashicorp/vault/helper/identity" + "github.com/hashicorp/vault/helper/locking" "github.com/hashicorp/vault/helper/logging" "github.com/hashicorp/vault/helper/metricsutil" "github.com/hashicorp/vault/helper/monitor" @@ -1720,7 +1720,7 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, return nil, logical.ErrReadOnly } - var lock *sync.RWMutex + var lock *locking.DeadlockRWMutex switch { case strings.HasPrefix(path, credentialRoutePrefix): lock = &b.Core.authLock diff --git a/vault/request_handling.go b/vault/request_handling.go index 93903d9ef..9900deb2e 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -1022,11 +1022,9 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp } leaseGenerated := false - loginRole := c.DetermineRoleFromLoginRequest(req.MountPoint, req.Data, ctx) quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, "as.Request{ Path: req.Path, MountPath: strings.TrimPrefix(req.MountPoint, ns.Path), - Role: loginRole, NamespacePath: ns.Path, }) if quotaErr != nil { @@ -1166,7 +1164,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp return nil, auth, retErr } - leaseID, err := registerFunc(ctx, req, resp, loginRole) + leaseID, err := registerFunc(ctx, req, resp, "") if err != nil { c.logger.Error("failed to register lease", "request_path", req.Path, "error", err) retErr = multierror.Append(retErr, ErrInternalError)