-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[docs] allow patching of roles #163
Comments
Nevermind, we looked at the code and a patch seems to be actually supported. This is mostly a documentation issue then I guess. |
Hey, thanks for bringing this to our attention. I agree with you it should be more obvious that the Would it be enough to simply change When you were looking through the existing docs are there other places where you would have expected this behaviour to be explained that we can update as well? |
Hey, seems enough to me. I mostly use the API reference, I have not looked through documentation or tutorials in details. But flying over them, it seems there are no changes required there. |
Should help clarify the behaviour so people do not have to waste time going through the source code in the future: |
@maxcoulombe One word of caution -- Create/Update role is not a PATCH operation, but a POST -- this means all modified values need to be re-specified on the subsequent update. To my knowledge, outside of KVv2 and PKI's roles, no other auth/secrets engines have yet adopted PATCH support for resources, and the CLI lacks generalized PATCH support right now. This is why we have the warning in the role about POST: https://www.vaultproject.io/api-docs/secret/pki#create-update-role |
Ah true, this means that the implementation conflicts with Restful definitions then. Because the implementation replaces the provided fields, but as far as I remember it looked like it kept the previously configured values for all fields that were not provided. If it would behave properly like a POST, I guess it would need to complain about mandatory fields being omitted, or update them to the default value if the field has one. |
@f4z3r Correct, when fields are omitted on the POST, they are treated as if the defaults had been specified again. This confused a lot of people, hence why PKI has gone and started adding proper PATCH support. (E.g., you could set |
So what is your suggestion? The callback under which the current "update" is registered is I could find some time in the coming days to fix the implementation to properly behave like a POST, and do something inline with the PKI secret engine to also have a PATCH with the current implementation if you guys want. Just let me know if such a change would be fine in terms of compatibility in your eyes. |
@f4z3r I'd recommend adding a There'll be some subset of users without Patch capable clients who will still have to rely on updates via the existing Also, it is handy to have an Update that nukes everything for when you do want to start fresh with the role... You can see e.g., what My 2c. tho, I'd be curious to see what others have to say :-) |
I see your points. But when you say:
We would not have that though if leaving the existing if audience, ok := data.GetOk("audience"); ok {
role.Audience = audience.(string)
} so a previously set audience would be kept if the field is omitted in the subsequent POST. So this is not a desired POST behaviour. Or did I misunderstand your comment? |
I think you'd do what This gives you the create and update semantics, without the pseudo-patch-like behavior you're attempting presently, and aligns you with the Hashicorp-provided plugin base as well, IMO. |
Ah ok, then I misunderstood your previous comment sorry. I understood it as leaving the implementation of the callback for |
Ahhh sorry. I hadn't seen your implementation, so I assumed you were just calling This makes Update behave like a proper POST I believe, with the risk of unintended side-effects. But that's why there's now a separate HTH :-) |
@f4z3r Now I realized I'm the dense one -- I had seen this from @maxcoulombe's docs PR on the main Vault repo and had clicked through without realizing where this discussion came from (on one of our plugin repos -- I thought this was about the problem in general on the Vault repo about how to write plugins in general). :D I'd be curious as to why we opted for |
…y use defaults fields if not provided, and add PATCH for role path
Currently it is not possible to modify roles once created.
We are encountering a use-case where we need to modify the policies attached to the tokens created by a role. A workaround would be to read the role, delete it, and re-create a modified version of it. This is not very nice.
Ideally we would want to be able to send a patch request to modify some parameters from the role configuration, in order to avoid the deletion of the role.
It should be noted that this would not modify the policies of the currently outstanding tokens that were created from that role before it got patched.
FYI: @zkck
The text was updated successfully, but these errors were encountered: