Remove stale token accessors?
293 views
Skip to first unread message
Yu Zhou
Mar 9, 2018, 1:39:36 PM3/9/18
to Vault
Hi,
I was trying to remove a user the other day and discovered that listing auth/token/lookup-accessor always fails with a timeout. I then checked the audit log and realized that I had 200k(!) token accessors and the list command was taking quite long. Upon further investigation, a lot of the accessors point to already expired tokens. I think the large amount comes from the fact that we generate one time approle tokens that expires after a certain number of uses.
The question is, is there a convenient way to "garbage collect" these token accessors so that managing the valid accessors is easier?
Thanks.
I was trying to remove a user the other day and discovered that listing auth/token/lookup-accessor always fails with a timeout. I then checked the audit log and realized that I had 200k(!) token accessors and the list command was taking quite long. Upon further investigation, a lot of the accessors point to already expired tokens. I think the large amount comes from the fact that we generate one time approle tokens that expires after a certain number of uses.
The question is, is there a convenient way to "garbage collect" these token accessors so that managing the valid accessors is easier?
Thanks.
Yu Zhou
Mar 9, 2018, 1:45:42 PM3/9/18
to Vault
Correction: the listing command was on auth/token/accessors.
Vishal Nayak
Mar 9, 2018, 6:15:42 PM3/9/18
to vault...@googlegroups.com
Hi,
What version of Vault are you using? We have seen similar issues in
the past wherein the accessor entries were not getting properly
cleared out. The issue was resolved and an endpoint (auth/token/tidy)
was added to bring the storage back to a sane state. Could you please
try that and see if it resolves the problem?
Also, since there are a lot of entries, even this endpoint might
timeout before it scans all of the entries. You might have to run it
multiple times.
Regards,
Vishal
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/2cf5786f-039e-441d-b5c6-df044eb6ad59%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
--
vn
What version of Vault are you using? We have seen similar issues in
the past wherein the accessor entries were not getting properly
cleared out. The issue was resolved and an endpoint (auth/token/tidy)
was added to bring the storage back to a sane state. Could you please
try that and see if it resolves the problem?
Also, since there are a lot of entries, even this endpoint might
timeout before it scans all of the entries. You might have to run it
multiple times.
Regards,
Vishal
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/2cf5786f-039e-441d-b5c6-df044eb6ad59%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
--
vn
Yu Zhou
Mar 14, 2018, 3:50:59 PM3/14/18
to Vault
Hi Vishal,
Thanks for your quick response. I tried running the command you suggested, and it did timeout as well. So I ran it multiple times. Each time it ran I can see that vault/consul started to consume significant CPU/mem. But even after ~20 runs, I'm still getting timeout on the list command.
Any suggestions? I ran the following command:
vault write -f auth/token/tidy
Thanks for your quick response. I tried running the command you suggested, and it did timeout as well. So I ran it multiple times. Each time it ran I can see that vault/consul started to consume significant CPU/mem. But even after ~20 runs, I'm still getting timeout on the list command.
Any suggestions? I ran the following command:
vault write -f auth/token/tidy
Vishal Nayak
Mar 18, 2018, 4:43:28 PM3/18/18
to vault...@googlegroups.com
Hi,
Which version of Vault are you using? Did running the tidy operation
reduce the number of stale entries in the storage?
Regards,
Vishal
> https://groups.google.com/d/msgid/vault-tool/e2bc8c71-4f79-44d0-b3d2-6e4974938707%40googlegroups.com.
Which version of Vault are you using? Did running the tidy operation
reduce the number of stale entries in the storage?
Regards,
Vishal
Reply all
Reply to author
Forward
Message has been deleted
0 new messages