[PR #5626] [MERGED] Abstract persistent files through Apache OpenDAL #7279

New Issue

Closed

opened 2026-03-07 21:14:09 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-03-07 21:14:09 -06:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/5626
Author: @txase
Created: 2/21/2025
Status: ✅ Merged
Merged: 5/29/2025
Merged by: @dani-garcia

Base: main ← Head: opendal

---

📝 Commits (5)

• 0044a6c Abstract file access through Apache OpenDAL
• 4a5d547 Add AWS S3 support via OpenDAL for data files
• 05f5993 PR improvements
• d47e245 Additional PR improvements
• e27965d Config setting comments for local/remote data locations

📊 Changes

19 files changed (+1467 additions, -198 deletions)

View changed files

📝 .env.template (+16 -3)
📝 Cargo.lock (+1080 -4)
📝 Cargo.toml (+11 -0)
📝 build.rs (+3 -0)
📝 src/api/admin.rs (+4 -4)
📝 src/api/core/ciphers.rs (+23 -33)
📝 src/api/core/emergency_access.rs (+1 -1)
📝 src/api/core/organizations.rs (+10 -5)
📝 src/api/core/sends.rs (+22 -24)
📝 src/api/core/two_factor/duo.rs (+1 -1)
📝 src/api/icons.rs (+28 -26)
📝 src/auth.rs (+35 -41)
📝 src/config.rs (+140 -18)
📝 src/db/models/attachment.rs (+32 -26)
📝 src/db/models/cipher.rs (+14 -4)
📝 src/db/models/send.rs (+3 -2)
📝 src/error.rs (+3 -0)
📝 src/main.rs (+20 -5)
📝 src/util.rs (+21 -1)

📄 Description

This PR represents the first set of attempting to incorporate the changes from the AWS Serverless POC in #5591 and contains two commits:

1. Refactor the codebase to access persistent files through Apache OpenDAL
2. Add support for an optional AWS S3 OpenDAL backend behind the new s3 feature flag

I decided to put these two commits into one PR to make it easier for me to get the new abstractions right, and to demonstrate what it takes to add an additional OpenDAL backend. I'm happy to split these into separate sequential PRs if that's preferred.

The first commit looks quite large at first glance, but many changes simply make all file accesses asynchronous and fallible by returning Result types. I think the key changes worth reviewing are:

• src/auth.rs: Slightly refactored initialize_keys() as needed for OpenDAL access of private key file
• src/config.rs:
  • CONFIG is still a synchronous Lazy type, but we have to calculate it from async methods. I shoehorned a tiny tokio async thread that runs to completion to calculate the value. The alternative of patching every use of CONFIG to be async, for no runtime benefit, seemed not worth doing.
  • See the new opendal_operator_for_path() and the abstracted CONFIG.opendal_operator_for_path_type() methods for the core of how operators are managed for various paths.
• src/util.rs: Has a new function save_temp_file() that abstracts the saving of TempFiles that Rocket creates when files are uploaded
• Wherever persistent data files are used, we now generate an OpenDAL Operator to access them. This includes config.json, sends, attachments, and icons.

The second commit is much smaller and more straightforward. The only thing worth pointing out is that OpenDAL uses reqsign under the covers to configure AWS credentials. However, AWS SDK configs have repeatedly been extended for better credential generation. For example, I use AWS Identity Center (aka AWS SSO) to generate temporary access tokens in my dev environment. reqsign doesn't support AWS SSO configs, but it has an escape hatch I utilized to load credentials. In the escape hatch I load the official AWS SDK config and credential generation crates to generate credentials. The one annoying part of the escape hatch is that reqsign's AwsCredentialLoad trait uses anyhow::Result, so we have to pull in anyhow just for this escape hatch :(.

Trying it out

These changes should be a behavioral no-op for existing use cases. The one minor change is the attachments, icon_cache, and sends folders aren't created at startup as OpenDAL FS service creates them when the first Operator is instantiated for each.

To try out the new S3 changes:

1. Build with the s3 feature turned on
2. Configure an AWS profile (this implementation honors all standard env vars like AWS_PROFILE and AWS_REGION along with standard AWS configs like ~/.aws/config)
3. Set the following config values:
   • DATA_FOLDER -> s3://<bucket in the matching AWS region>[/<optional path prefix>]
   • ALLOWED_CONNECT_SRC -> https://<bucket>.s3.<region>.amazonaws.com (required if using web-vault)
   • TMP_FOLDER -> data/tmp (or your preference, but must be set to a local path)
   • TEMPLATES_FOLDER -> data/templates (or your preference, but must be set to a local path)
   • DATABASE_URL -> data/db.sqlite3 (or your preference, but must be set to a valid value)

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/5626 **Author:** [@txase](https://github.com/txase) **Created:** 2/21/2025 **Status:** ✅ Merged **Merged:** 5/29/2025 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `opendal` --- ### 📝 Commits (5) - [`0044a6c`](https://github.com/dani-garcia/vaultwarden/commit/0044a6c3aeb73dd78d54ef2e3b80cb3db7cc243b) Abstract file access through Apache OpenDAL - [`4a5d547`](https://github.com/dani-garcia/vaultwarden/commit/4a5d54777e4ec211268da2533f4f02a7432a528e) Add AWS S3 support via OpenDAL for data files - [`05f5993`](https://github.com/dani-garcia/vaultwarden/commit/05f5993ab59738f51c6f02e3db2a92a84bd9e77b) PR improvements - [`d47e245`](https://github.com/dani-garcia/vaultwarden/commit/d47e245fcdbb91f88f51faf9277dd0942790c272) Additional PR improvements - [`e27965d`](https://github.com/dani-garcia/vaultwarden/commit/e27965d1dea0bb237834f3a0d9332ed15e4379b4) Config setting comments for local/remote data locations ### 📊 Changes **19 files changed** (+1467 additions, -198 deletions) <details> <summary>View changed files</summary> 📝 `.env.template` (+16 -3) 📝 `Cargo.lock` (+1080 -4) 📝 `Cargo.toml` (+11 -0) 📝 `build.rs` (+3 -0) 📝 `src/api/admin.rs` (+4 -4) 📝 `src/api/core/ciphers.rs` (+23 -33) 📝 `src/api/core/emergency_access.rs` (+1 -1) 📝 `src/api/core/organizations.rs` (+10 -5) 📝 `src/api/core/sends.rs` (+22 -24) 📝 `src/api/core/two_factor/duo.rs` (+1 -1) 📝 `src/api/icons.rs` (+28 -26) 📝 `src/auth.rs` (+35 -41) 📝 `src/config.rs` (+140 -18) 📝 `src/db/models/attachment.rs` (+32 -26) 📝 `src/db/models/cipher.rs` (+14 -4) 📝 `src/db/models/send.rs` (+3 -2) 📝 `src/error.rs` (+3 -0) 📝 `src/main.rs` (+20 -5) 📝 `src/util.rs` (+21 -1) </details> ### 📄 Description This PR represents the first set of attempting to incorporate the changes from the AWS Serverless POC in #5591 and contains two commits: 1. Refactor the codebase to access persistent files through [Apache OpenDAL](https://opendal.apache.org/) 2. Add support for an optional AWS S3 OpenDAL backend behind the new `s3` feature flag > I decided to put these two commits into one PR to make it easier for me to get the new abstractions right, and to demonstrate what it takes to add an additional OpenDAL backend. I'm happy to split these into separate sequential PRs if that's preferred. The first commit looks quite large at first glance, but many changes simply make all file accesses asynchronous and fallible by returning `Result` types. I think the key changes worth reviewing are: * src/auth.rs: Slightly refactored `initialize_keys()` as needed for OpenDAL access of private key file * src/config.rs: * `CONFIG` is still a synchronous `Lazy` type, but we have to calculate it from async methods. I shoehorned a tiny tokio async thread that runs to completion to calculate the value. The alternative of patching every use of `CONFIG` to be async, for no runtime benefit, seemed not worth doing. * See the new `opendal_operator_for_path()` and the abstracted `CONFIG.opendal_operator_for_path_type()` methods for the core of how operators are managed for various paths. * src/util.rs: Has a new function `save_temp_file()` that abstracts the saving of [TempFiles](https://api.rocket.rs/v0.5/rocket/fs/enum.TempFile) that Rocket creates when files are uploaded * Wherever persistent data files are used, we now generate an [OpenDAL Operator](https://docs.rs/opendal/latest/opendal/struct.Operator.html) to access them. This includes config.json, sends, attachments, and icons. The second commit is much smaller and more straightforward. The only thing worth pointing out is that OpenDAL uses [reqsign](https://docs.rs/reqsign/latest/reqsign/) under the covers to configure AWS credentials. However, AWS SDK configs have repeatedly been extended for better credential generation. For example, I use AWS Identity Center (aka AWS SSO) to generate temporary access tokens in my dev environment. reqsign doesn't support AWS SSO configs, but it has an escape hatch I utilized to load credentials. In the escape hatch I load the official AWS SDK config and credential generation crates to generate credentials. The one annoying part of the escape hatch is that reqsign's [AwsCredentialLoad](https://docs.rs/reqsign/latest/reqsign/trait.AwsCredentialLoad.html) trait uses `anyhow::Result`, so we have to pull in anyhow just for this escape hatch :(. ## Trying it out These changes should be a behavioral no-op for existing use cases. The one minor change is the attachments, icon_cache, and sends folders aren't created at startup as OpenDAL FS service creates them when the first Operator is instantiated for each. To try out the new S3 changes: 1. Build with the `s3` feature turned on 2. Configure an AWS profile (this implementation honors all standard env vars like `AWS_PROFILE` and `AWS_REGION` along with standard AWS configs like `~/.aws/config`) 3. Set the following config values: * `DATA_FOLDER` -> `s3://<bucket in the matching AWS region>[/<optional path prefix>]` * `ALLOWED_CONNECT_SRC` -> `https://<bucket>.s3.<region>.amazonaws.com` (required if using web-vault) * `TMP_FOLDER` -> `data/tmp` (or your preference, but must be set to a local path) * `TEMPLATES_FOLDER` -> `data/templates` (or your preference, but must be set to a local path) * `DATABASE_URL` -> `data/db.sqlite3` (or your preference, but must be set to a valid value) --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-03-07 21:14:09 -06:00

GiteaMirror closed this issue 2026-03-07 21:14:10 -06:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#7279