Add update with Compare and Swap (CAS)

Question

Add update with Compare and Swap (CAS)

tobgu opened this issue 2 years ago · comments

First of all: Thanks for a very nice and useful library!

Question:
Did you consider adding CAS to the update operations (like this one: https://github.com/lingrino/vaku/blob/v2.5.0/api/path_update.go#L13)?

It would help in making it race free.

Sean Lingren · Answer 1 · Wed May 25 2022 01:57:55 GMT+0800 (China Standard Time)

👋 @tobgu thanks for the feedback! This is a tricky one. Are you running into race conditions today?

Check-and-set is only supported in the V2 secrets engine and part of the design goal with vaku is to work the same on V1 and V2 engines. So this function would have to be a new PathUpdateCAS function that only worked on V2 mounts. It would also have to work with the entire folder and not just individual secrets.

Given the complexity here I'm not likely to implement this feature anytime soon but I would be happy to review a contribution!

Tobias Gustafsson · Answer 2 · Tue May 31 2022 15:11:12 GMT+0800 (China Standard Time)

I figured that since the update already today reads the secret before writing it, and is aware of the mount version, it would not have to be an API disruptive change if CAS is always applied for v2 updates. The devil probably in the details though and you are probably right.

I don't have any problems/bugs related to data races during updates today. The secret update frequency is rather low and there aren't that many concurrent updaters. It would just feel nice to shut the door on those kind of issues completely. :-) Perhaps another potential option would be to use a PATCH for kv-v2 when updating secrets to reduce the chance of races.

Tobias Gustafsson · Answer 3 · Tue May 31 2022 15:11:12 GMT+0800 (China Standard Time)

I figured that since the update already today reads the secret before writing it, and is aware of the mount version, it would not have to be an API disruptive change if CAS is always applied for v2 updates. The devil probably in the details though and you are probably right.

I don't have any problems/bugs related to data races during updates today. The secret update frequency is rather low and there aren't that many concurrent updaters. It would just feel nice to shut the door on those kind of issues completely. :-) Perhaps another potential option would be to use a PATCH for kv-v2 when updating secrets to reduce the chance of races.

Sean Lingren · Answer 4 · Wed Jun 01 2022 11:26:23 GMT+0800 (China Standard Time)

Hmmm. I think you're right that this should be possible within the existing API and I may have misread earlier. I would need to update this function to call the vault API directly on the read to get the version and on the write to enable check-and-set. It would be a larger change but should fit in. Here's how the vault CLI does it.

I'll look into it! I'm not sure when though.