WIP - Transactional storage #292
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cipherboy
force-pushed
the
transactional-storage
branch
from
36b23ba
to
c949738
Compare
When a non-empty path is given that ends in a slash and after=., the resulting seek prefix from joining the path and the period has the slash trimmed off. This results in no list results, because this seek prefix lacks the trailing slash and is thus not prefixed by the expected prefix. E.g., for foo/ and after=., we end up with seekPrefix=foo, which doesn't start with our prefix (foo/). Correctly handle this edge case. This was caught by randomized testing across multiple storage backends. Signed-off-by: Alexander Scheel <[email protected]>
This removes the legacy one-shot transaction interface and its various implementers, including in the File, InMem, and Raft backends. In the former's case (file), this might not have truly had the strict consistency guarantees one would expect from a transaction implementation. Signed-off-by: Alexander Scheel <[email protected]>
cipherboy
force-pushed
the
transactional-storage
branch
from
c949738
to
27cda85
Compare
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
| verifyReadOp | ||
| verifyListOp | ||
| beginTxOp | ||
| commitTxOp |
There was a problem hiding this comment.
beginTxOp / commitTxOp are mostly transaction sentinels for the time being. However, when implementing the single hash method (number 3), we can send the hash type in beginTxOp and the final hash in commitTxOp. We'll need verifyReadOp because while we can re-order any un-modified reads to occur at the end (sending them along in the commitTxOp if we wanted fewer operations in the log), we can't avoid sending reads before writes. We'll need verifyListOp, because its results can be impacted by writes and we won't necessarily know to compact (or not compact) them, so we'd prefer to keep them in execution order.
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
| // SecurityBarrier must provide the encryption APIs | ||
| BarrierEncryptor | ||
| } | ||
|
|
||
| // BarrierStorage is the storage only interface required for a Barrier. | ||
| type BarrierStorage interface { |
There was a problem hiding this comment.
BarrierStorage was unused and conformed to logical.Storage.
cipherboy
commented
Apr 15, 2024
cipherboy
commented
Apr 15, 2024
| // Copyright (c) HashiCorp, Inc. | ||
| // SPDX-License-Identifier: MPL-2.0 | ||
|
|
||
| package vault |
There was a problem hiding this comment.
This removal could be a separate PR as well.
Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
This converts StorageView to an interface, aligning with the Storage interface. The only consumer, as far as I can tell, is the BarrierView, which was easy enough to convert to an interface user, and will itself need to be made transactional in a future commit. Signed-off-by: Alexander Scheel <[email protected]>
This converts BarrierView to an interface, updating definitions everywhere to use it as such. This lets us replace it with two different structs (barrierView and transacitonalBarrierView). Signed-off-by: Alexander Scheel <[email protected]>
This extends SecurityBarrier into a TransactionalSecurityBarrier variant, in which access to the underlying storage (but not the barrier itself!) can be modified in a transaction-aware way. Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
SealUnwrapper exists to err about storage which was at one point in time seal wrapped. This only exists on Vault Enterprise, and would require a migration from Vault Enterprise -> OpenBao to trigger. As we likely won't support this (as we have no way of unsealing the underlying storage as we don't have the seal wrap subsystem in OSS), and thus would require it to have been completely unseal wrapped manually prior to migration, we can safely remove this and assume that other failures would instead catch this unlikely event. This is also one less layer to add transactional storage to. Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
This adds a cross-storage backend testing interface, suitable for testing all physical backends at various levels of indirection (from direct access to caches to error interposers). This will eventually include testing logical.Storage interfaces as well, to ensure various combinations of layers work together nicely (physical + barrier + views) and match interface expectations. Signed-off-by: Alexander Scheel <[email protected]>
cipherboy
force-pushed
the
transactional-storage
branch
from
27cda85
to
72bbed5
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for interactive transactions across the backend, physical, and plugin storage levels. This will ultimately allow for greater assurance in secrets management operations built on top of OpenBao.
See the RFC in #296 for more detailed information about the design of this change.
TODO:
logical.Storage, finish adding remaining layers to the cross-test.physical'stesting.goto support basic testing of transactions.sdk/physical/latency.go, andsdk/physical/errors.goto be transactional?