From 865df63c763b9f875e2ad43f52cfe3107ecc557b Mon Sep 17 00:00:00 2001
From: Ian Ferguson <ian.ferguson@hey.com>
Date: Wed, 10 Feb 2021 11:05:16 -0500
Subject: [PATCH] Correct lock acquisition order in the `pathEntityMergeID`
 identity to fix deadlock condition (#10877)

---
 changelog/10877.txt              | 3 +++
 vault/identity_store_entities.go | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 changelog/10877.txt

diff --git a/changelog/10877.txt b/changelog/10877.txt
new file mode 100644
index 000000000..59f398386
--- /dev/null
+++ b/changelog/10877.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/identity: Fix deadlock in entity merge endpoint.
+```
diff --git a/vault/identity_store_entities.go b/vault/identity_store_entities.go
index efa1e51bd..b68f69889 100644
--- a/vault/identity_store_entities.go
+++ b/vault/identity_store_entities.go
@@ -164,6 +164,9 @@ func (i *IdentityStore) pathEntityMergeID() framework.OperationFunc {
 		force := d.Get("force").(bool)
 
 		// Create a MemDB transaction to merge entities
+		i.lock.Lock()
+		defer i.lock.Unlock()
+
 		txn := i.db.Txn(true)
 		defer txn.Abort()
 
@@ -172,7 +175,7 @@ func (i *IdentityStore) pathEntityMergeID() framework.OperationFunc {
 			return nil, err
 		}
 
-		userErr, intErr := i.mergeEntity(ctx, txn, toEntity, fromEntityIDs, force, true, false, true)
+		userErr, intErr := i.mergeEntity(ctx, txn, toEntity, fromEntityIDs, force, false, false, true)
 		if userErr != nil {
 			return logical.ErrorResponse(userErr.Error()), nil
 		}