Add ability to disable an entity #4353
Conversation
This disallows its associated tokens to be used, but doesn't revoke them.
| @@ -110,6 +110,10 @@ message Entity { | |||
| // MFASecrets holds the MFA secrets indexed by the identifier of the MFA | |||
| // method configuration. | |||
| //map<string, mfa.Secret> mfa_secrets = 10; | |||
There was a problem hiding this comment.
I’m suspicious having this commented out might break if a user upgrades from oss -> ent
There was a problem hiding this comment.
Should be fine so long as the number is distinct.
| @@ -802,6 +802,10 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool | |||
| } | |||
| } | |||
|
|
|||
| if entity != nil && entity.Disabled { | |||
There was a problem hiding this comment.
Should we also be disallowing the entity from getting tokens?
| @@ -1466,6 +1477,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) { | |||
| return retErr | |||
| } | |||
|
|
|||
| if entity != nil && entity.Disabled { | |||
There was a problem hiding this comment.
I wonder if we should do this before audit logging.
There was a problem hiding this comment.
No -- for the same reason that we attempt to log whatever we get back from the token store before fully checking validity. The fact that a request is invalid doesn't mean it wasn't an attempted request.
vault/core.go
Outdated
| @@ -1327,12 +1338,6 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr | |||
| // for validation and the operation should be performed. But for now, | |||
There was a problem hiding this comment.
Can we remove these comments?
There was a problem hiding this comment.
Oh, I should move them down.
This disallows its associated tokens to be used, but doesn't revoke
them.