[Bug 1788375] Re: API changes in vault 0.10.0 causes test to fail.

Launchpad Bug Tracker 1788375 at bugs.launchpad.net
Thu Oct 11 19:18:01 UTC 2018 

This bug was fixed in the package python-castellan - 0.19.0-0ubuntu2

---------------
python-castellan (0.19.0-0ubuntu2) cosmic; urgency=medium

  * d/p/0001-Fix-Vault-K-V-API-compatibility.patchi,
        0002-Add-method-to-wrap-HashiCorp-Vault-HTTP-API-calls.patch:
    Resolve issues with compatibility with Vault 0.10.0 where the KV engine
    is versioned by default (LP: #1788375).
  * d/p/0003-vault-add-AppRole-support.patch: Add support for Vault
    AppRole authentication (LP: #1796851).
  * d/p/0004-vault-support-configuration-of-KV-mountpoint.patch: Add support
    for configuration of the KV mountpoint to use in Vault (LP: #1797148).

 -- James Page <james.page at ubuntu.com>  Thu, 11 Oct 2018 12:21:17 +0100

** Changed in: python-castellan (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-castellan in Ubuntu.
https://bugs.launchpad.net/bugs/1788375

Title:
  API changes in vault 0.10.0 causes test to fail.

Status in castellan:
  Fix Committed
Status in python-castellan package in Ubuntu:
  Fix Released

Bug description:
  Since Vault 0.10.0 the K/V engine is versioned by default and returns
  the following warning:

  Invalid path for a versioned K/V secrets engine. See the API docs for
  the appropriate API endpoints to use. If using the Vault CLI, use
  'vault kv put' for this operation.

  The warning can be seen at:

  $ curl \
      --header "X-Vault-Token: $VAULT_TOKEN" \
      --request POST \                          
      --data '{"value": "bar"}' \
      http://127.0.0.1:8200/v1/secret/foo

  ### Formatted JSON Data returned by curl
  {  
    "request_id":"48b76803-c396-8f71-0d98-b5949478de2c",
    "lease_id":"",
    "renewable":false,
    "lease_duration":0,
    "data":null,
    "wrap_info":null,
    "warnings":[  
      "Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put' for this operation."
    ],
    "auth":null
  }

  ---

  The VaultKeyManager._store_key_value method doesn't care for the
  "warnings" value and just returns the key_id, but the data was
  actually not stored.

  The required fixes are in the url (add 'data/' after secret/) and the
  request data is now {"data":{...}} instead of just {...}.

  $ curl \
      --header "X-Vault-Token: $VAULT_TOKEN" \
      --request POST \
      --data '{"data":{"value": "bar"}}' \ 
      http://127.0.0.1:8200/v1/secret/data/foo

  ### Formatted JSON Data returned by curl
  {
    "request_id":"087e314a-c2aa-7261-f004-99f07783e14f",
    "lease_id":"",
    "renewable":false,
    "lease_duration":0,
    "data":{  
      "created_time":"2018-08-22T09:58:47.245643874Z",
      "deletion_time":"",
      "destroyed":false,
      "version":1
    },
    "wrap_info":null,
    "warnings":null,
    "auth":null
  }

  The equivalent fixes are also required in VaultKeyManager.get().

To manage notifications about this bug go to:
https://bugs.launchpad.net/castellan/+bug/1788375/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list