diff --git a/vault/logical_system.go b/vault/logical_system.go index 8ecb0528e08c..0c364ce0df45 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -1289,7 +1289,11 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, // Reload the backend to kick off the upgrade process. It should only apply to KV backend so we // trigger based on the version logic above. if kvUpgraded { - b.Core.reloadBackendCommon(ctx, mountEntry, strings.HasPrefix(path, credentialRoutePrefix)) + err = b.Core.reloadBackendCommon(ctx, mountEntry, strings.HasPrefix(path, credentialRoutePrefix)) + if err != nil { + b.Core.logger.Error("mount tuning of options: could not reload backend", "error", err, "path", path, "options", options) + } + } } @@ -2786,6 +2790,11 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica errResp := logical.ErrorResponse(fmt.Sprintf("preflight capability check returned 403, please ensure client's policies grant access to path %q", path)) + ns, err := namespace.FromContext(ctx) + if err != nil { + return nil, err + } + me := b.Core.router.MatchingMountEntry(ctx, path) if me == nil { // Return a permission denied error here so this path cannot be used to @@ -2797,6 +2806,9 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica Data: mountInfo(me), } resp.Data["path"] = me.Path + if ns.ID != me.Namespace().ID { + resp.Data["path"] = me.Namespace().Path + me.Path + } // Load the ACL policies so we can walk the prefix for this mount acl, te, entity, _, err := b.Core.fetchACLTokenEntryAndEntity(ctx, req) @@ -2816,11 +2828,6 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica return nil, logical.ErrPermissionDenied } - ns, err := namespace.FromContext(ctx) - if err != nil { - return nil, err - } - if !hasMountAccess(ctx, acl, ns.Path+me.Path) { return errResp, logical.ErrPermissionDenied } diff --git a/vault/plugin_reload.go b/vault/plugin_reload.go index c0fb715c3ee8..58947ccdcb90 100644 --- a/vault/plugin_reload.go +++ b/vault/plugin_reload.go @@ -51,7 +51,7 @@ func (c *Core) reloadMatchingPluginMounts(ctx context.Context, mounts []string) errors = multierror.Append(errors, errwrap.Wrapf(fmt.Sprintf("cannot reload plugin on %q: {{err}}", mount), err)) continue } - c.logger.Info("successfully reloaded plugin", "plugin", entry.Config.PluginName, "path", entry.Path) + c.logger.Info("successfully reloaded plugin", "plugin", entry.Accessor, "path", entry.Path) } } return errors @@ -99,7 +99,7 @@ func (c *Core) reloadMatchingPlugin(ctx context.Context, pluginName string) erro if err != nil { return err } - c.logger.Info("successfully reloaded plugin", "plugin", pluginName, "path", entry.Path) + c.logger.Info("successfully reloaded plugin", "plugin", entry.Accessor, "path", entry.Path) } } @@ -123,7 +123,7 @@ func (c *Core) reloadBackendCommon(ctx context.Context, entry *MountEntry, isAut } // Fast-path out if the backend doesn't exist - raw, ok := c.router.root.Get(path) + raw, ok := c.router.root.Get(entry.Namespace().Path + path) if !ok { return nil } diff --git a/vault/testing.go b/vault/testing.go index 8341c83fcbc2..52eedbcf1575 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -144,6 +144,13 @@ func TestCoreWithSealAndUI(t testing.T, opts *CoreConfig) *Core { conf.Seal = opts.Seal conf.LicensingConfig = opts.LicensingConfig + for k, v := range opts.LogicalBackends { + conf.LogicalBackends[k] = v + } + for k, v := range opts.CredentialBackends { + conf.CredentialBackends[k] = v + } + c, err := NewCore(conf) if err != nil { t.Fatalf("err: %s", err)