Secrets are not removed from vault when deleted via the barbican api

Bug #1800174 reported by Ryan Beisner on 2018-10-26
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Barbican-Vault Charm
Undecided
Unassigned

Bug Description

Secrets are not removed from vault when deleted via the barbican api.

For my scenario, I created several secrets using the barbican client, set values, then deleted those secrets. The vault kv list still shows entities present. I would expect the back-end to also delete the kv in this case.

---

(clients) ubuntu@beisner-bastion:~/demo$ openstack secret list --format json
[]

---

ubuntu@juju-b7ad6b-beisner-4:~$ vault kv list charm-barbican-vault/

Keys
----
0d16c7f94f294ecfb115aebaebbe1f02
0e0f1fd8bafb40308155bf5673c39393
2aa01ec1418840998f6bbc6f32029f0b
3fb78402b7ea4878983a217f40837d75
440723b6bd1f4053bdd48e5c10d0b7d4
6a205048a3df4ebc9c92e29238fb6b99
899b8ec8a91e45879cad1d614a3283c2
b5041e6df15a4d79a0fa86bff5cac437
cbdb5f1d317e42ce97f4be03419360d8
d8321ae788084278be0758976f6c2b01

---

ubuntu@juju-b7ad6b-beisner-0:~$ apt-cache policy barbican-common
barbican-common:
  Installed: 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636
  Candidate: 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636
  Version table:
 *** 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636 500
        500 http://ppa.launchpad.net/corey.bryant/bionic-rocky/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
     1:7.0.0-0ubuntu2~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/rocky/main amd64 Packages
     1:6.0.0-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
ubuntu@juju-b7ad6b-beisner-0:~$

---

ubuntu@juju-b7ad6b-beisner-4:/etc$ snap info vault
name: vault
summary: Vault is a tool for securely accessing secrets.
publisher: Snapcrafters
contact: https://github.com/snapcrafters/vault/issues
license: unset
description: |
  A modern system requires access to a multitude of secrets: database
  credentials, API keys for external services, credentials for service-oriented
  architecture communication, etc. Understanding who is accessing what secrets
  is already very difficult and platform-specific. Adding on key rolling,
  secure storage, and detailed audit logs is almost impossible without a custom
  solution. This is where Vault steps in.

  This snap is maintained by the Snapcrafters community, and is not necessarily endorsed or
  officially maintained by the upstream developers.
commands:
  - vault
snap-id: bIb4p4yWWjyZdo2EU64whkZhw9QYYsMH
tracking: stable
refresh-date: 2 days ago, at 14:40 UTC
channels:
  stable: 0.11.3 (1062) 55MB -
  candidate: ↑
  beta: 0.11.3 (1062) 55MB -
  edge: 1.0.0-beta1 (1116) 149MB -
installed: 0.11.3 (1062) 55MB -

James Page (james-page) wrote :

The data associated with the path is deleted:

$ vault kv get charm-barbican-vault/6a205048a3df4ebc9c92e29238fb6b99
====== Metadata ======
Key Value
--- -----
created_time 2018-10-24T23:33:07.235064098Z
deletion_time 2018-10-26T14:43:12.226095323Z
destroyed false
version 1

its just that the backend secret_id is still present - this is one that's not been deleted:

$ vault kv get charm-barbican-vault/1302fb55406f41fd95131da79a7082b2
====== Metadata ======
Key Value
--- -----
created_time 2018-10-26T17:27:17.601770578Z
deletion_time n/a
destroyed false
version 1

======= Data =======
Key Value
--- -----
algorithm <nil>
bit_length <nil>
created <nil>
name <nil>
type opaque
value 5632566c5a57566c

Changed in charm-barbican-vault:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers