Database backend does not clean up logins when role is deleted

[pascal-enz]

Description
I am using the database backend with the MSSQL plugin and observed the following issue. When a database role is deleted from Vault, it does not delete logins and users that were created under that role. Later when the logins expire, Vault tries to delete them, but it fails with error "could not find role". As a result the users and logins stay active in the database forever.

Steps to reproduce

1. Run the following commands:

vault secrets enable -path=mssql database

vault write mssql/config/testdb
    plugin_name="mssql-database-plugin"
    connection_url="sqlserver://{{username}}:{{password}}@localhost:1433/SQLEXPRESS"
    username="sa"
    password="..."
    allowed_roles="*"

vault write mssql/roles/testuser
    db_name="testdb"
    creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}', DEFAULT_DATABASE=[PlatformManagement_V1], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF; USE [PlatformManagement_V1]; CREATE USER [{{name}}] FOR LOGIN [{{name}}]; EXECUTE sys.sp_addrolemember N'db_owner', N'{{name}}';"
    default_ttl="1m"
    max_ttl="1m"

vault read mssql/creds/testuser

vault delete mssql/roles/testuser

2. Wait a minute until the login expires.

3. Check the Vault audit log for the following error message:

[ERROR] expiration: failed to revoke lease: lease_id=mssql/creds/testuser/7e2b66a3-1caf-7ba2-a8f2-18c522636b39 error="failed to revoke entry: resp: (*logical.Response)(nil) err: error during revoke: could not find role with name "testuser""

4. Check SQL Server. The database user and the login still exist and are active.

Expected Behaviour
When the database role is deleted from Vault, all users and logins created under it should be removed from SQL Server immediately.

[calvn]

Since the database role got deleted, Vault is not able to determine the connection information or revocation statement required to expire the lease. The backend is not responsible for the lease itself (that is handled in Vault's core), so it's not possible for the backend to expire leases. You can, however, remove all of the role's associated leases via prefix-based revocation before the role gets deleted. We will add this suggestion to the documentation, thanks for reporting!