OpenStack Barbican-Vault Charm

Secrets are not removed from vault when deleted via the barbican api

Bug #1800174 reported by Ryan Beisner on 2018-10-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Barbican-Vault Charm	Invalid	Undecided	Unassigned

Bug Description

Secrets are not removed from vault when deleted via the barbican api.

For my scenario, I created several secrets using the barbican client, set values, then deleted those secrets. The vault kv list still shows entities present. I would expect the back-end to also delete the kv in this case.

---

(clients) ubuntu@beisner-bastion:~/demo$ openstack secret list --format json
[]

---

ubuntu@juju-b7ad6b-beisner-4:~$ vault kv list charm-barbican-vault/

Keys
----
0d16c7f94f294ecfb115aebaebbe1f02
0e0f1fd8bafb40308155bf5673c39393
2aa01ec1418840998f6bbc6f32029f0b
3fb78402b7ea4878983a217f40837d75
440723b6bd1f4053bdd48e5c10d0b7d4
6a205048a3df4ebc9c92e29238fb6b99
899b8ec8a91e45879cad1d614a3283c2
b5041e6df15a4d79a0fa86bff5cac437
cbdb5f1d317e42ce97f4be03419360d8
d8321ae788084278be0758976f6c2b01

---

ubuntu@juju-b7ad6b-beisner-0:~$ apt-cache policy barbican-common
barbican-common:
  Installed: 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636
  Candidate: 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636
  Version table:
*** 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636 500
        500 http://ppa.launchpad.net/corey.bryant/bionic-rocky/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
     1:7.0.0-0ubuntu2~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/rocky/main amd64 Packages
     1:6.0.0-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
ubuntu@juju-b7ad6b-beisner-0:~$

---

ubuntu@juju-b7ad6b-beisner-4:/etc$ snap info vault
name: vault
summary: Vault is a tool for securely accessing secrets.
publisher: Snapcrafters
contact: https://github.com/snapcrafters/vault/issues
license: unset
description: |
  A modern system requires access to a multitude of secrets: database
  credentials, API keys for external services, credentials for service-oriented
  architecture communication, etc. Understanding who is accessing what secrets
  is already very difficult and platform-specific. Adding on key rolling,
  secure storage, and detailed audit logs is almost impossible without a custom
  solution. This is where Vault steps in.

  This snap is maintained by the Snapcrafters community, and is not necessarily endorsed or
  officially maintained by the upstream developers.
commands:
  - vault
snap-id: bIb4p4yWWjyZdo2EU64whkZhw9QYYsMH
tracking: stable
refresh-date: 2 days ago, at 14:40 UTC
channels:
  stable: 0.11.3 (1062) 55MB -
  candidate: ↑
  beta: 0.11.3 (1062) 55MB -
  edge: 1.0.0-beta1 (1116) 149MB -
installed: 0.11.3 (1062) 55MB -

Tags:

Revision history for this message

James Page (james-page) wrote on 2018-10-26:

The data associated with the path is deleted:

$ vault kv get charm-barbican-vault/6a205048a3df4ebc9c92e29238fb6b99
====== Metadata ======
Key Value
--- -----
created_time 2018-10-24T23:33:07.235064098Z
deletion_time 2018-10-26T14:43:12.226095323Z
destroyed false
version 1

its just that the backend secret_id is still present - this is one that's not been deleted:

$ vault kv get charm-barbican-vault/1302fb55406f41fd95131da79a7082b2
====== Metadata ======
Key Value
--- -----
created_time 2018-10-26T17:27:17.601770578Z
deletion_time n/a
destroyed false
version 1

======= Data =======
Key Value
--- -----
algorithm <nil>
bit_length <nil>
created <nil>
name <nil>
type opaque
value 5632566c5a57566c

Changed in charm-barbican-vault:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.