Merge PR #10059: Port OSS changes from #1497

hashicorp · Oct 1, 2020 · d7e7db8 · d7e7db8
1 parent a473924
commit d7e7db8
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 4 deletions.
diff --git a/command/operator_raft_remove_peer.go b/command/operator_raft_remove_peer.go
@@ -13,6 +13,8 @@ var _ cli.CommandAutocomplete = (*OperatorRaftRemovePeerCommand)(nil)
 
 type OperatorRaftRemovePeerCommand struct {
 	*BaseCommand
+
+	flagDRToken string
 }
 
 func (c *OperatorRaftRemovePeerCommand) Synopsis() string {
@@ -34,6 +36,17 @@ Usage: vault operator raft remove-peer <server_id>
 
 func (c *OperatorRaftRemovePeerCommand) Flags() *FlagSets {
 	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "dr-token",
+		Target:     &c.flagDRToken,
+		Default:    "",
+		EnvVar:     "",
+		Completion: complete.PredictAnything,
+		Usage:      "DR operation token used to authorize this request (if a DR secondary node).",
+	})
+
 	return set
 }
 
@@ -76,7 +89,8 @@ func (c *OperatorRaftRemovePeerCommand) Run(args []string) int {
 	}
 
 	_, err = client.Logical().Write("sys/storage/raft/remove-peer", map[string]interface{}{
-		"server_id": serverID,
+		"server_id":          serverID,
+		"dr_operation_token": c.flagDRToken,
 	})
 	if err != nil {
 		c.UI.Error(fmt.Sprintf("Error removing the peer from raft cluster: %s", err))

diff --git a/vault/logical_system.go b/vault/logical_system.go
@@ -173,6 +173,13 @@ func NewSystemBackend(core *Core, logger log.Logger) *SystemBackend {
 		b.Backend.Paths = append(b.Backend.Paths, b.raftStoragePaths()...)
 	}
 
+	// If the node is in a DR secondary cluster, we need to allow the ability to
+	// remove a Raft peer without being authenticated by instead providing a DR
+	// operation token.
+	if core.IsDRSecondary() {
+		b.Backend.PathsSpecial.Unauthenticated = append(b.Backend.PathsSpecial.Unauthenticated, "storage/raft/remove-peer")
+	}
+
 	b.Backend.Invalidate = sysInvalidate(b)
 	return b
 }

diff --git a/vault/logical_system_helpers.go b/vault/logical_system_helpers.go
@@ -92,6 +92,10 @@ var (
 	}
 
 	checkRaw = func(b *SystemBackend, path string) error { return nil }
+
+	wrapHandleRaftRemovePeer = func(b *SystemBackend) framework.OperationFunc {
+		return b.handleRaftRemovePeerUpdate()
+	}
 )
 
 // tuneMount is used to set config on a mount point

diff --git a/vault/logical_system_raft.go b/vault/logical_system_raft.go
@@ -72,14 +72,18 @@ func (b *SystemBackend) raftStoragePaths() []*framework.Path {
 			Pattern: "storage/raft/remove-peer",
 
 			Fields: map[string]*framework.FieldSchema{
+				"dr_operation_token": {
+					Type:        framework.TypeString,
+					Description: "DR operation token used to authorize this request (if a DR secondary node).",
+				},
 				"server_id": {
 					Type: framework.TypeString,
 				},
 			},
 
 			Operations: map[logical.Operation]framework.OperationHandler{
 				logical.UpdateOperation: &framework.PathOperation{
-					Callback: b.handleRaftRemovePeerUpdate(),
+					Callback: wrapHandleRaftRemovePeer(b),
 					Summary:  "Remove a peer from the raft cluster.",
 				},
 			},

diff --git a/website/pages/api-docs/system/storage/raft.mdx b/website/pages/api-docs/system/storage/raft.mdx
@@ -113,7 +113,8 @@ $ curl \
 
 ## Remove a node from Raft cluster
 
-This endpoint removes a node from the raft cluster.
+This endpoint removes a node from the raft cluster. An optional `dr_operation_token`
+may be provided if the node is in a DR secondary cluster.
 
 | Method | Path                            |
 | :----- | :------------------------------ |
@@ -123,7 +124,8 @@ This endpoint removes a node from the raft cluster.
 
 ```json
 {
-  "server_id": "raft1"
+  "server_id": "raft1",
+  "dr_operation_token": ""
 }
 ```