Optimistic locking

Is there any way to have some form of Optimistic locking (or even pessimistic locking) when interacting with the Vault REST API? We’re reading some data from vault and then perform an update using in part the data read from vault, how can we ensure that the data hasn’t been modified concurrently between those two operations?

The locking behavior in Vault varies by endpoint and plugin. In many cases, locks are already included. They may vary by endpoint depending on its specific needs. Are there particular API endpoints or plugins that you’re using?

The current scenario is for POST, PUT or DELETE to this endpoint:

/v1/sys/policy

So no optimistic locking for that endpoint then?

Thanks for pinging on this again! I’m new to Discus and haven’t found a great way to get notified of only “new” things and “things I saw and commented on”. That aside, yes, you ask a very good question. When you hit those endpoints, you’re essentially hitting this code: https://github.com/hashicorp/vault/blob/master/vault/logical_system.go#L1910-L2064. At the API level, there’s no locking, however, there is within the policy store it uses. The policy store is located here and offers some locking, here for instance. Glancing at it, it looks like the approach is pessimistic locking.

Ok, thanks for the update. I guess we’ll have to continue having client calls for that endpoint force into the same thread to avoid concurrency issues.