Unable to use "stale" consistency mode in Vault/Consul clusters

[Guillaume Seguin]

We have a cluster fo 3 Vault on a cluster of 3 Consul. Our use cases are read heavy, a few writes shy of read-only, actually. Reading stale data is not a concern. 

Documentation says that only "default" and "strong" consistency_mode are supported in Vault, but points to Consul's documentation where "stale" is also available. 

When I enable the "stale" consistency mode in our Vault storage configuration like this:

storage "consul" {

     address = "10.14.38.53:8510"

     path  = "vault/"

     consistency_mode="stale"

}

I get this error in the logs:

Error initializing storage of type consul: invalid consistency_mode value: stale

Is there a way to configure vault storage so that "... any server to service the read regardless of whether it is the leader", like Consul's stale consistency mode?

[Joel Thompson]

Hi Guillaume,

No, that's not currently possible. Vault explicitly only allows default and strong as the documentation states. I'd expect the link is to explain what default and strong mean.

Even if stale reads aren't a problem for your particular use case, they could still pose a very big problem for Vault internal operations. There's a lot that goes on behind the scenes, so it's safer and easier to just enforce consistent read operations.

If you need to scale horizontally, that's a feature that's included in the paid edition of Vault (https://www.hashicorp.com/products/vault/).

--Joel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f7bf318b-e3e1-431e-9ff4-0ab4c7bdf595%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jeff Mitchell]

Hi Guillaume,

To add to what Joel said, stale reads can mean real, and possibly easy to force, security issues. The default behavior is generally "good enough" although "strong" is an option for those that really want to ensure that Vault is never seeing stale data. That's why it's not an option.

Best,

Jeff

On Thu, Sep 7, 2017 at 11:36 PM, Joel Thompson <jatho...@gmail.com> wrote:

Hi Guillaume,

No, that's not currently possible. Vault explicitly only allows default and strong as the documentation states. I'd expect the link is to explain what default and strong mean.

Even if stale reads aren't a problem for your particular use case, they could still pose a very big problem for Vault internal operations. There's a lot that goes on behind the scenes, so it's safer and easier to just enforce consistent read operations.

If you need to scale horizontally, that's a feature that's included in the paid edition of Vault (https://www.hashicorp.com/products/vault/).

--Joel

On Thu, Sep 7, 2017 at 11:03 PM Guillaume Seguin <guil...@paralint.com> wrote:

We have a cluster fo 3 Vault on a cluster of 3 Consul. Our use cases are read heavy, a few writes shy of read-only, actually. Reading stale data is not a concern. 

Documentation says that only "default" and "strong" consistency_mode are supported in Vault, but points to Consul's documentation where "stale" is also available. 

When I enable the "stale" consistency mode in our Vault storage configuration like this:

storage "consul" {

     address = "10.14.38.53:8510"

     path  = "vault/"

     consistency_mode="stale"

}

I get this error in the logs:

Error initializing storage of type consul: invalid consistency_mode value: stale

Is there a way to configure vault storage so that "... any server to service the read regardless of whether it is the leader", like Consul's stale consistency mode?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f7bf318b-e3e1-431e-9ff4-0ab4c7bdf595%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAOXnK5TAwsSQ2XrzBygWCJMibwK6kD5DwH%2BREn5phChgASbY8Q%40mail.gmail.com.