Fix plugin reload when in a namespace (#5937)

vault/logical_system.go

@@ -1411,7 +1411,11 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
 		// Reload the backend to kick off the upgrade process. It should only apply to KV backend so we
 		// trigger based on the version logic above.
 		if kvUpgraded {
-			b.Core.reloadBackendCommon(ctx, mountEntry, strings.HasPrefix(path, credentialRoutePrefix))
+			err = b.Core.reloadBackendCommon(ctx, mountEntry, strings.HasPrefix(path, credentialRoutePrefix))
+			if err != nil {
+				b.Core.logger.Error("mount tuning of options: could not reload backend", "error", err, "path", path, "options", options)
+			}
+
 		}
 	}
 
@@ -2894,6 +2898,11 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
 
 	errResp := logical.ErrorResponse(fmt.Sprintf("preflight capability check returned 403, please ensure client's policies grant access to path %q", path))
 
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
 	me := b.Core.router.MatchingMountEntry(ctx, path)
 	if me == nil {
 		// Return a permission denied error here so this path cannot be used to
@@ -2905,6 +2914,9 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
 		Data: mountInfo(me),
 	}
 	resp.Data["path"] = me.Path
+	if ns.ID != me.Namespace().ID {
+		resp.Data["path"] = me.Namespace().Path + me.Path
+	}
 
 	// Load the ACL policies so we can walk the prefix for this mount
 	acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req)
@@ -2924,11 +2936,6 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
 		return nil, logical.ErrPermissionDenied
 	}
 
-	ns, err := namespace.FromContext(ctx)
-	if err != nil {
-		return nil, err
-	}
-
 	if !hasMountAccess(ctx, acl, ns.Path+me.Path) {
 		return errResp, logical.ErrPermissionDenied
 	}

vault/plugin_reload.go

@@ -50,7 +50,7 @@ func (c *Core) reloadMatchingPluginMounts(ctx context.Context, mounts []string)
 			errors = multierror.Append(errors, errwrap.Wrapf(fmt.Sprintf("cannot reload plugin on %q: {{err}}", mount), err))
 			continue
 		}
-		c.logger.Info("successfully reloaded plugin", "plugin", entry.Type, "path", entry.Path)
+		c.logger.Info("successfully reloaded plugin", "plugin", entry.Accessor, "path", entry.Path)
 	}
 	return errors
 }
@@ -96,7 +96,7 @@ func (c *Core) reloadMatchingPlugin(ctx context.Context, pluginName string) erro
 			if err != nil {
 				return err
 			}
-			c.logger.Info("successfully reloaded plugin", "plugin", pluginName, "path", entry.Path)
+			c.logger.Info("successfully reloaded plugin", "plugin", entry.Accessor, "path", entry.Path)
 		}
 	}
 
@@ -120,7 +120,7 @@ func (c *Core) reloadBackendCommon(ctx context.Context, entry *MountEntry, isAut
 	}
 
 	// Fast-path out if the backend doesn't exist
-	raw, ok := c.router.root.Get(path)
+	raw, ok := c.router.root.Get(entry.Namespace().Path + path)
 	if !ok {
 		return nil
 	}

vault/testing.go

@@ -150,6 +150,13 @@ func TestCoreWithSealAndUI(t testing.T, opts *CoreConfig) *Core {
 	conf.LicensingConfig = opts.LicensingConfig
 	conf.DisableKeyEncodingChecks = opts.DisableKeyEncodingChecks
 
+	for k, v := range opts.LogicalBackends {
+		conf.LogicalBackends[k] = v
+	}
+	for k, v := range opts.CredentialBackends {
+		conf.CredentialBackends[k] = v
+	}
+
 	c, err := NewCore(conf)
 	if err != nil {
 		t.Fatalf("err: %s", err)