Path disabled in replication DR secondary mode

Avatar
Madhav Gautam
  • Updated

 

Problem

We are having this error  on version 1.7.0 and later, to fix this we have to pass in the  dr_operation_token

 

Prerequisites (if applicable)

  • Two Vault clusters using Integrated Storage (Raft) as storage backend and Disaster Recovery replication enabled
  • Vault Enterprise versions 1.7.0 or later

storage/raft (enterprise): Listing of peers is now allowed on DR secondary cluster nodes, as an update operation that takes in DR operation token for authenticating the request.

 

    • vault/CHANGELOG.md

      >storage/raft (enterprise): Listing of peers is now allowed on DR secondary cluster nodes, as an update operation that takes in DR operation token for authenticating the request.

       

      `path disabled in replication DR secondary mode`   

If we see this error, we would like to take these steps : 

To resolve this, We  have to pass in the dr_operation_token for this:

 

vault operator raft list-peers dr_operation_token "DR_OPERATION_TOKEN_HERE"

And to steps to generate the token.

If you generate on the primary you need to add the policy which is mentioned here:
# To read raft configuration
path "sys/storage/raft/configuration" {
    capabilities = [ "read", "update" ]

To generate the dr operations token on the secondary please follow this doc link 

  • Start the DR operation token generation process. 
    vault operator generate-root -dr-token -init

  • In order to generate a DR operation token, the following operation must be executed by each unseal key holder.

    vault operator generate-root -dr-token \
    -nonce=b4738404-0a11-63aa-2cb6-e77dfd96946f \
    PRIMARY_UNSEAL_KEY_1

Nonce            b4738404-0a11-63aa-2cb6-e77dfd96946f
Started          true
Progress         1/3
Complete         false
  • Once the threshold has been reached, the output contains the encoded DR operation token. 
    vault operator generate-root -dr-token \
    -nonce=b4738404-0a11-63aa-2cb6-e77dfd96946f \
    PRIMARY_UNSEAL_KEY_3

Nonce            b4738404-0a11-63aa-2cb6-e77dfd96946f
Started          true
Progress         3/3
Complete         true
Encoded Token    djw4BR1iaDUFIBxaAwpiCC1YGhQHHDMf
  • Decode the generated DR operation token (Encoded Token). 
    vault operator generate-root -dr-token \
     -decode="djw4BR1iaDUFIBxaAwpiCC1YGhQHHDMf" \
     -otp="EYHAkPQYvvz93e8iI3pg1maQ"

s.3epDv29lsVfc0oZadkjs6qRN
  • Finally, promote the DR secondary (Cluster B) to become the new primary. The request must pass the DR operation token. 
    vault write sys/replication/dr/secondary/promote \
     dr_operation_token=s.3epDv29lsVfc0oZadkjs6qRN

WARNING! The following warnings were returned from Vault:

* This cluster is being promoted to a replication primary. Vault will be
unavailable for a brief period and will resume service shortly.
  • DR Operation Token Strategy
  • Where DR_OPERATION token can be obtained through the API

Additional Information

Articles in this section

See more

Related articles