when updating value for an existing kv - Conflict: Secret already has data, cannot modify it

Bug #1800175 reported by Ryan Beisner on 2018-10-26
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Barbican-Vault Charm
Undecided
Unassigned
barbican (Ubuntu)
Undecided
Unassigned

Bug Description

When updating value for an existing kv - "Conflict: Secret already has data, cannot modify it"

1. Create a secret store
2. Place a value in the secret store successfully
3. Cannot update the value in the secret store

(clients) 1 ubuntu@beisner-bastion:~/demo$ openstack secret store --name kv_bucket_001
+---------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------+
| Secret href | http://10.5.0.11:9312/v1/secrets/dfe00045-6adb-4839-9e39-5902a7c966aa |
| Name | kv_bucket_001 |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------+
(clients) ubuntu@beisner-bastion:~/demo$ openstack secret update http://10.5.0.11:9312/v1/secrets/dfe00045-6adb-4839-9e39-5902a7c966aa "Hello!"
(clients) ubuntu@beisner-bastion:~/demo$ openstack secret get -d http://10.5.0.11:9312/v1/secrets/dfe00045-6adb-4839-9e39-5902a7c966aa --format value
Hello!

(clients) ubuntu@beisner-bastion:~/demo$ openstack secret update http://10.5.0.11:9312/v1/secrets/dfe00045-6adb-4839-9e39-5902a7c966aa "Goodbye!"
4xx Client error: Conflict: Secret already has data, cannot modify it.
Conflict: Secret already has data, cannot modify it.

Ryan Beisner (1chb1n) wrote :

ubuntu@juju-b7ad6b-beisner-4:/etc$ snap info vault
name: vault
summary: Vault is a tool for securely accessing secrets.
publisher: Snapcrafters
contact: https://github.com/snapcrafters/vault/issues
license: unset
description: |
  A modern system requires access to a multitude of secrets: database
  credentials, API keys for external services, credentials for service-oriented
  architecture communication, etc. Understanding who is accessing what secrets
  is already very difficult and platform-specific. Adding on key rolling,
  secure storage, and detailed audit logs is almost impossible without a custom
  solution. This is where Vault steps in.

  This snap is maintained by the Snapcrafters community, and is not necessarily endorsed or
  officially maintained by the upstream developers.
commands:
  - vault
snap-id: bIb4p4yWWjyZdo2EU64whkZhw9QYYsMH
tracking: stable
refresh-date: 2 days ago, at 14:40 UTC
channels:
  stable: 0.11.3 (1062) 55MB -
  candidate: ↑
  beta: 0.11.3 (1062) 55MB -
  edge: 1.0.0-beta1 (1116) 149MB -
installed: 0.11.3 (1062) 55MB -

---

ubuntu@juju-b7ad6b-beisner-0:~$ apt-cache policy barbican-common
barbican-common:
  Installed: 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636
  Candidate: 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636
  Version table:
 *** 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636 500
        500 http://ppa.launchpad.net/corey.bryant/bionic-rocky/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
     1:7.0.0-0ubuntu2~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/rocky/main amd64 Packages
     1:6.0.0-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

summary: - cannot update value for an existing kv
+ cannot update value for an existing kv - Conflict: Secret already has
+ data, cannot modify i
Download full text (4.4 KiB)

http://paste.ubuntu.com/p/2x4gnkNCcv/

Fri Oct 26 15:50:27.038740 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers [req-792d9aec-3d0e-4318-a08c-ec62af740e1b 174f3123041f42818318b4ce4d46d755 a5e22ca876884268bf8c2dba92863ecd - 7e87323e783a41a6a9ba9d0763ae3f38 7e87323e783a41a6a9ba9d0763ae3f38] Webob error seen: webob.exc.HTTPConflict: Secret already has data, cannot modify it.
[Fri Oct 26 15:50:27.038921 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers Traceback (most recent call last):
[Fri Oct 26 15:50:27.039027 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 108, in handler
[Fri Oct 26 15:50:27.039124 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
[Fri Oct 26 15:50:27.039227 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 94, in enforcer
[Fri Oct 26 15:50:27.039337 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
[Fri Oct 26 15:50:27.039439 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 156, in content_types_enforcer
[Fri Oct 26 15:50:27.039535 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
[Fri Oct 26 15:50:27.039628 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/secrets.py", line 237, in on_put
[Fri Oct 26 15:50:27.039729 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers _secret_already_has_data()
[Fri Oct 26 15:50:27.039834 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/secrets.py", line 56, in _secret_already_has_data
[Fri Oct 26 15:50:27.039913 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican.api.controllers pecan.abort(409, u._("Secret already has data, cannot modify it."))
[Fri Oct 26 15:50:27.039997 2018] [wsgi:error] [pid 26934:tid 140087620437760] [remote 10.5.0.11:52536] 2018-10-26 15:50:27.038 26934 ERROR barbican...

Read more...

summary: - cannot update value for an existing kv - Conflict: Secret already has
- data, cannot modify i
+ when updating value for an existing kv - Conflict: Secret already has
+ data, cannot modify it
Ryan Beisner (1chb1n) on 2018-10-26
description: updated
Ryan Beisner (1chb1n) wrote :

This appears to be behavior by-design, ie. secrets are immutable once a value is set.

Reference (credit: jamespage):

https://github.com/openstack/barbican/blob/1baaacfa3ad9ca4d39c9c5f9a103298758b7d182/barbican/api/controllers/secrets.py#L236

Changed in charm-barbican-vault:
status: New → Invalid
Changed in barbican (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers