Secrets are not removed from vault when deleted via the barbican api
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Barbican-Vault Charm |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Secrets are not removed from vault when deleted via the barbican api.
For my scenario, I created several secrets using the barbican client, set values, then deleted those secrets. The vault kv list still shows entities present. I would expect the back-end to also delete the kv in this case.
---
(clients) ubuntu@
[]
---
ubuntu@
Keys
----
0d16c7f94f294ec
0e0f1fd8bafb403
2aa01ec14188409
3fb78402b7ea487
440723b6bd1f405
6a205048a3df4eb
899b8ec8a91e458
b5041e6df15a4d7
cbdb5f1d317e42c
d8321ae78808427
---
ubuntu@
barbican-common:
Installed: 1:7.0.0-
Candidate: 1:7.0.0-
Version table:
*** 1:7.0.0-
500 http://
100 /var/lib/
1:
500 http://
1:
500 http://
ubuntu@
---
ubuntu@
name: vault
summary: Vault is a tool for securely accessing secrets.
publisher: Snapcrafters
contact: https:/
license: unset
description: |
A modern system requires access to a multitude of secrets: database
credentials, API keys for external services, credentials for service-oriented
architecture communication, etc. Understanding who is accessing what secrets
is already very difficult and platform-specific. Adding on key rolling,
secure storage, and detailed audit logs is almost impossible without a custom
solution. This is where Vault steps in.
This snap is maintained by the Snapcrafters community, and is not necessarily endorsed or
officially maintained by the upstream developers.
commands:
- vault
snap-id: bIb4p4yWWjyZdo2
tracking: stable
refresh-date: 2 days ago, at 14:40 UTC
channels:
stable: 0.11.3 (1062) 55MB -
candidate: ↑
beta: 0.11.3 (1062) 55MB -
edge: 1.0.0-beta1 (1116) 149MB -
installed: 0.11.3 (1062) 55MB -
The data associated with the path is deleted:
$ vault kv get charm-barbican- vault/6a205048a 3df4ebc9c92e292 38fb6b99 24T23:33: 07.235064098Z 26T14:43: 12.226095323Z
====== Metadata ======
Key Value
--- -----
created_time 2018-10-
deletion_time 2018-10-
destroyed false
version 1
its just that the backend secret_id is still present - this is one that's not been deleted:
$ vault kv get charm-barbican- vault/1302fb554 06f41fd95131da7 9a7082b2 26T17:27: 17.601770578Z
====== Metadata ======
Key Value
--- -----
created_time 2018-10-
deletion_time n/a
destroyed false
version 1
======= Data =======
Key Value
--- -----
algorithm <nil>
bit_length <nil>
created <nil>
name <nil>
type opaque
value 5632566c5a57566c