Skip to content

Commit

Permalink
Fix a panic in MongoDB backend with concurrent create/revoke (#5463)
Browse files Browse the repository at this point in the history
When Vault is concurrently creating and revoking leases for MongoDB
users as part of the database secrets engine, and then loses connection
to MongoDB, it can panic. This occurrs because the RevokeUser path does
_not_ lock the mutex, but the CreateUser path does. Both threads of
execution can concurently decide to call c.session.Close() in
mongodb/connection_producer.go:119, and then mgo panics when the second
close attempt occurs.
  • Loading branch information
Konstantinos Tsanaktsidis authored and jefferai committed Oct 8, 2018
1 parent 7c49fa6 commit 0312fe4
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions plugins/database/mongodb/mongodb.go
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,9 @@ func (m *MongoDB) RenewUser(ctx context.Context, statements dbplugin.Statements,
// RevokeUser drops the specified user from the authentication database. If none is provided
// in the revocation statement, the default "admin" authentication database will be assumed.
func (m *MongoDB) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error {
m.Lock()
defer m.Unlock()

statements = dbutil.StatementCompatibilityHelper(statements)

session, err := m.getConnection(ctx)
Expand Down

0 comments on commit 0312fe4

Please sign in to comment.