OpenStack Barbican-Vault Charm

when updating value for an existing kv - Conflict: Secret already has data, cannot modify it

Bug #1800175 reported by Ryan Beisner
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Barbican-Vault Charm
Invalid
Undecided
Unassigned
barbican (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

When updating value for an existing kv - "Conflict: Secret already has data, cannot modify it"

1. Create a secret store
2. Place a value in the secret store successfully
3. Cannot update the value in the secret store

(clients) 1 ubuntu@beisner-bastion:~/demo$ openstack secret store --name kv_bucket_001
+---------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------+
| Secret href | http://10.5.0.11:9312/v1/secrets/dfe00045-6adb-4839-9e39-5902a7c966aa |
| Name | kv_bucket_001 |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------+
(clients) ubuntu@beisner-bastion:~/demo$ openstack secret update http://10.5.0.11:9312/v1/secrets/dfe00045-6adb-4839-9e39-5902a7c966aa "Hello!"
(clients) ubuntu@beisner-bastion:~/demo$ openstack secret get -d http://10.5.0.11:9312/v1/secrets/dfe00045-6adb-4839-9e39-5902a7c966aa --format value
Hello!

(clients) ubuntu@beisner-bastion:~/demo$ openstack secret update http://10.5.0.11:9312/v1/secrets/dfe00045-6adb-4839-9e39-5902a7c966aa "Goodbye!"
4xx Client error: Conflict: Secret already has data, cannot modify it.
Conflict: Secret already has data, cannot modify it.

See original description
Tags: uosci
Revision history for this message
Ryan Beisner (1chb1n) wrote :

ubuntu@juju-b7ad6b-beisner-4:/etc$ snap info vault
name: vault
summary: Vault is a tool for securely accessing secrets.
publisher: Snapcrafters
contact: https://github.com/snapcrafters/vault/issues
license: unset
description: |
  A modern system requires access to a multitude of secrets: database
  credentials, API keys for external services, credentials for service-oriented
  architecture communication, etc. Understanding who is accessing what secrets
  is already very difficult and platform-specific. Adding on key rolling,
  secure storage, and detailed audit logs is almost impossible without a custom
  solution. This is where Vault steps in.

  This snap is maintained by the Snapcrafters community, and is not necessarily endorsed or
  officially maintained by the upstream developers.
commands:
  - vault
snap-id: bIb4p4yWWjyZdo2EU64whkZhw9QYYsMH
tracking: stable
refresh-date: 2 days ago, at 14:40 UTC
channels:
  stable: 0.11.3 (1062) 55MB -
  candidate: ↑
  beta: 0.11.3 (1062) 55MB -
  edge: 1.0.0-beta1 (1116) 149MB -
installed: 0.11.3 (1062) 55MB -

---

ubuntu@juju-b7ad6b-beisner-0:~$ apt-cache policy barbican-common
barbican-common:
  Installed: 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636
  Candidate: 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636
  Version table:
 *** 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636 500
        500 http://ppa.launchpad.net/corey.bryant/bionic-rocky/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
     1:7.0.0-0ubuntu2~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/rocky/main amd64 Packages
     1:6.0.0-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

summary: - cannot update value for an existing kv
+ cannot update value for an existing kv - Conflict: Secret already has
+ data, cannot modify i
Revision history for this message
Ryan Beisner (1chb1n) wrote : Re: cannot update value for an existing kv - Conflict: Secret already has data, cannot modify i
Download full text (4.4 KiB)

http://paste.ubuntu.com/p/2x4gnkNCcv/

Fri Oct 26 15:50:27.038740 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers [req-792d9aec-3d0e-4318-a08c-ec62af740e1b 174f3123041f42818318b4ce4d46d755 a5e22ca876884268bf8c2dba92863ecd - 7e87323e783a41a6a9ba9d0763ae3f38 7e87323e783a41a6a9ba9d0763ae3f38] Webob error seen: webob.exc.HTTPConflict: Secret already has data, cannot modify it.
[Fri Oct 26 15:50:27.038921 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers Traceback (most recent call last):
[Fri Oct 26 15:50:27.039027 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 108, in handler
[Fri Oct 26 15:50:27.039124 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
[Fri Oct 26 15:50:27.039227 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 94, in enforcer
[Fri Oct 26 15:50:27.039337 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
[Fri Oct 26 15:50:27.039439 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 156, in content_types_enforcer
[Fri Oct 26 15:50:27.039535 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
[Fri Oct 26 15:50:27.039628 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/secrets.py", line 237, in on_put
[Fri Oct 26 15:50:27.039729 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers _secret_already_has_data()
[Fri Oct 26 15:50:27.039834 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/secrets.py", line 56, in _secret_already_has_data
[Fri Oct 26 15:50:27.039913 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers pecan.abort(409, u._("Secret already has data, cannot modify it."))
[Fri Oct 26 15:50:27.039997 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican...

Read more...

summary: - cannot update value for an existing kv - Conflict: Secret already has
- data, cannot modify i
+ when updating value for an existing kv - Conflict: Secret already has
+ data, cannot modify it
Ryan Beisner (1chb1n)
description: updated
Revision history for this message
Ryan Beisner (1chb1n) wrote :

This appears to be behavior by-design, ie. secrets are immutable once a value is set.

Reference (credit: jamespage):

https://github.com/openstack/barbican/blob/1baaacfa3ad9ca4d39c9c5f9a103298758b7d182/barbican/api/controllers/secrets.py#L236

Changed in charm-barbican-vault:
status: New → Invalid
Changed in barbican (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.