MFA TOTP is deleted after vault restart

[hennadii2012]

Describe the bug
For vault SSO 1.10.0 in docker mfa totp method is deleted after restart all nodes in raft cluster

To Reproduce
Steps to reproduce the behavior:

1. Run curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data @issuer.json ${VAULT_ADDR}/v1/identity/mfa/method/totp
   content of issuer.json:
   {
   "issuer": "vault",
   "algorithm": "SHA512"
   }

2. RUN docker stop vault-container-name on all three nodes of raft cluster

3. RUN docker start vault-container-name on all three nodes of raft cluster

4. RUN curl --header "X-Vault-Token: $VAULT_TOKEN" --request LIST ${VAULT_ADDR}/v1/identity/mfa/method/totp. It return nothing, but must return methoid from first step

Expected behavior
Return methoid from first step after restarts

Environment:

• Vault Server Version 1.10.0
• Vault CLI Version 1.10.0
• Server Operating System/Architecture: docker (vault:1.10.0) on ubuntu 20.04

Vault server configuration file(s):

storage "raft" {
  path    = "/vault/file"
  node_id = "vault1"


  retry_join {
    leader_tls_servername   = "vault1.example.com"
    leader_api_addr         = "https://vault1.example.com:8200"
    leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
    leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
  }
  retry_join {
    leader_tls_servername   = "vault2.example.com"
    leader_api_addr         = "https://vault2.example.com:8200"
    leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
    leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
  }
  retry_join {
    leader_tls_servername   = "vault3.example.com"
    leader_api_addr         = "https://vault3.example.com:8200"
    leader_ca_cert_file     = "/opt/vault/tls/vault-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
    leader_client_key_file  = "/opt/vault/tls/vault-key.pem"
  }
}
listener "tcp" {
  address            = "0.0.0.0:8200"
  cluster_addr       = "0.0.0.0:8201"
  tls_cert_file      = "/opt/vault/tls/vault-cert.pem"
  tls_key_file       = "/opt/vault/tls/vault-key.pem"
  tls_client_ca_file = "/opt/vault/tls/vault-ca.pem"
}
api_addr          = "https://vault1.example.com:8200"
cluster_addr      = "https://vault1.example.com:8201"
ui                = true
disable_mlock     = true
default_lease_ttl = "168h"
max_lease_ttl     = "720h"
log_level         = "Error"
seal "gcpckms" {
  credentials = "/opt/vault/creds.json"
  project     = "project_name"
  region      = "global"
  key_ring    = "keyring"
  crypto_key  = "key-ring"
}

[hennadii2012]

The same problem with version 1.10.1

[danackerson]

and still a problem with version 1.10.2. Corresponding login-enforcements are also deleted (which makes sense as the mfa method can't be deleted as long as it's in use).

[ncabatoff]

Hi @hennadii2012,

Thanks for reporting this issue, sorry it took us a while to respond. We're working on a fix and should have a new release out soon. Note that the methods/enforcements aren't actually deleted, they're just not being loaded at startup, so after upgrading to a release with a fix, you may find you have duplicate methods/enforcements.

[hennadii2012]

Hi @ncabatoff,
Thank you for the information. I hope fix will decide problem.

[hennadii2012]

The problem is fixed in version 10.0.3