Vault path is altered causing 403 permission denied

Report a Dgraph Bug

The dgraph vault superflag path options is altered outside of the specified configuration, which causes Dgraph Alpha to fail with 403 permissions error. The path will get prepended with dgraph/.

NOTE: this does not reproduce in v20.11.2.

The workaround is prepending a slash / to the path option. For example:

What version of Dgraph are you using?

• build from release/v21.03 branch, with commit e489fd2e8
  • published docker image for that commit: darknerd/dgraph:v21.03.0-e489fd2e8

Have you tried reproducing the issue with the latest release?

• does not reproduce in v20.11.2.

What is the hardware spec (RAM, OS)?

• dgraph docker image (ubuntu focal fossa)

Steps to reproduce the issue (command/config used to run Dgraph).

• Vault server is running with required secrets and Dgraph AppRole
• Start Dgraph using this configuration:

  vault:
    addr: http://vault:8200
    acl_field: hmac_secret_file
    acl_format: raw
    enc_field: enc_key
    enc_format: raw
    path: secret/data/dgraph/alpha
    roleid_file: /dgraph/vault/role_id
    secretid_file: /dgraph/vault/secret_id
  security:
    whitelist: 10.0.0.0/8,172.0.0.0/8,192.168.0.0/16
  

Expected behavior and actual result.

Actual Results

Dgraph will attempt fetch the secret using an invalid path that was not configured by the user:

F0318 00:31:35.997473 15 vault_ee.go:53] vault: error retrieving path /dgraph/secret/data/dgraph/alpha: Error making API request.
URL: GET http://vault:8200/v1/dgraph/secret/data/dgraph/alpha
Code: 403. Errors:
* 1 error occurred:
* permission denied

Expected Results

The expected result would was that dgraph would use the path specified by the user, so that the URL would be http://vault:8200/v1/secret/data/dgraph/alpha.

Workaround

If you add a / before the path, it will use the correct path, so that path=secret/data/dgraph/alpha becomes path: /secret/data/dgraph/alpha