Merge PR #10059: Port OSS changes from #1497

2020-10-01 15:15:20 -04:00 · 2020-10-01 15:15:20 -04:00 · a3cfa7c447
parent 20cc59ea25
commit a3cfa7c447
5 changed files with 35 additions and 4 deletions
--- a/command/operator_raft_remove_peer.go
+++ b/command/operator_raft_remove_peer.go
@ -13,6 +13,8 @@ var _ cli.CommandAutocomplete = (*OperatorRaftRemovePeerCommand)(nil)

 type OperatorRaftRemovePeerCommand struct {
 	*BaseCommand
+
+	flagDRToken string
 }

 func (c *OperatorRaftRemovePeerCommand) Synopsis() string {
@ -34,6 +36,17 @@ Usage: vault operator raft remove-peer <server_id>

 func (c *OperatorRaftRemovePeerCommand) Flags() *FlagSets {
 	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "dr-token",
+		Target:     &c.flagDRToken,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
+	})
+
 	return set
 }

@ -76,7 +89,8 @@ func (c *OperatorRaftRemovePeerCommand) Run(args []string) int {
 	}

 	_, err = client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
-		"server_id": serverID,
+		"server_id":          serverID,
+		"dr_operation_token": c.flagDRToken,
 	})
 	if err != nil {
 		c.UI.Error(fmt.Sprintf("Error removing the peer from raft cluster: %s", err))
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@ -173,6 +173,13 @@ func NewSystemBackend(core *Core, logger log.Logger) *SystemBackend {
 		b.Backend.Paths = append(b.Backend.Paths, b.raftStoragePaths()...)
 	}

+	// If the node is in a DR secondary cluster, we need to allow the ability to
+	// remove a Raft peer without being authenticated by instead providing a DR
+	// operation token.
+	if core.IsDRSecondary() {
+		b.Backend.PathsSpecial.Unauthenticated = append(b.Backend.PathsSpecial.Unauthenticated, "storage/raft/remove-peer")
+	}
+
 	b.Backend.Invalidate = sysInvalidate(b)
 	return b
 }
--- a/vault/logical_system_helpers.go
+++ b/vault/logical_system_helpers.go
@ -92,6 +92,10 @@ var (
 	}

 	checkRaw = func(b *SystemBackend, path string) error { return nil }
+
+	wrapHandleRaftRemovePeer = func(b *SystemBackend) framework.OperationFunc {
+		return b.handleRaftRemovePeerUpdate()
+	}
 )

 // tuneMount is used to set config on a mount point
--- a/vault/logical_system_raft.go
+++ b/vault/logical_system_raft.go
@ -72,6 +72,10 @@ func (b *SystemBackend) raftStoragePaths() []*framework.Path {
 			Pattern: "storage/raft/remove-peer",

 			Fields: map[string]*framework.FieldSchema{
+				"dr_operation_token": {
+					Type:        framework.TypeString,
+					Description: "DR operation token used to authorize this request (if a DR secondary node).",
+				},
 				"server_id": {
 					Type: framework.TypeString,
 				},
@ -79,7 +83,7 @@ func (b *SystemBackend) raftStoragePaths() []*framework.Path {

 			Operations: map[logical.Operation]framework.OperationHandler{
 				logical.UpdateOperation: &framework.PathOperation{
-					Callback: b.handleRaftRemovePeerUpdate(),
+					Callback: wrapHandleRaftRemovePeer(b),
 					Summary:  "Remove a peer from the raft cluster.",
 				},
 			},
--- a/website/pages/api-docs/system/storage/raft.mdx
+++ b/website/pages/api-docs/system/storage/raft.mdx
@ -113,7 +113,8 @@ $ curl \

 ## Remove a node from Raft cluster

-This endpoint removes a node from the raft cluster.
+This endpoint removes a node from the raft cluster. An optional `dr_operation_token`
+may be provided if the node is in a DR secondary cluster.

 | Method | Path                            |
 | :----- | :------------------------------ |
@ -123,7 +124,8 @@ This endpoint removes a node from the raft cluster.

 ```json
 {
-  "server_id": "raft1"
+  "server_id": "raft1",
+  "dr_operation_token": ""
 }
 ```