Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MySQL RDS Plugin Error with Password Special Characters #7834

Closed
ak-beep-boop opened this issue Nov 7, 2019 · 3 comments · Fixed by #8040
Closed

MySQL RDS Plugin Error with Password Special Characters #7834

ak-beep-boop opened this issue Nov 7, 2019 · 3 comments · Fixed by #8040
Labels
bug Used to indicate a potential bug secret/database

Comments

@ak-beep-boop
Copy link

ak-beep-boop commented Nov 7, 2019

Describe the bug
When using the CLI or cURL to establish a new set of root database credentials, the remote authorization fails when there is an exclamation point in the password. The character cannot be escaped or URL-encoded successfully. An identical password without the exclamation point works without issues.

To Reproduce
Both CLI and cURL clients fail with a 1045 error:

# curl -ks https://vault.local/v1/database/config/proddb \
>   -H "X-Vault-Token: s.root-token-asdf" \
>   -X POST \
>   -d '{"plugin_name":"mysql-rds-database-plugin",
>        "connection_url":"{{username}}:{{password}}@tcp(remote-host:1521)/",
>        "allowed_roles":"*",
>        "username":"dbmaster",
>        "password":"abcdef!"}'
{"errors":["error creating database object: error verifying connection: Error 1045: Access denied for user 'dbmaster'@'10.255.192.128' (using password: YES)"]}
# vault write -tls-skip-verify \
>   database/config/proddb \
>   plugin_name=mysql-rds-database-plugin \
>   connection_url="{{username}}:{{password}}@tcp(remote-host:1521)/" \
>   allowed_roles="*" \
>   username="dbmaster" \
>   password="abcdef!"

Error writing data to database/config/aurciprd: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/database/config/proddb
Code: 400. Errors:

* error creating database object: error verifying connection: Error 1045: Access denied for user 'dbmaster'@'10.255.192.128' (using password: YES)

Expected behavior
I was able to get this to succeed by using the same password without an exclamation point on the end. Unfortunately, I do not have a say what this password should be, so it must support special characters.

Environment:

  • Vault Server Version (retrieve with vault status):
# vault status -tls-skip-verify
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.2.2
Cluster Name    vault-cluster-d0923a5b
Cluster ID      5c500923-7810-4647-ae61-2685eba150c9
HA Enabled      true
HA Cluster      https://10.255.192.128:8201
HA Mode         active
  • Vault CLI Version (retrieve with vault version):
# vault version -tls-skip-verify
Vault v1.2.2
  • Server Operating System/Architecture:
# uname -a
Linux ldvltv01 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Vault server configuration file(s):

storage "consul" {
  address = "consul.local:8501"
  path = "vault/"
  scheme = "https"
  token = "token-goes-here"
  tls_skip_verify = 1
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_cert_file = "/etc/pki/tls/private/cert.crt"
  tls_key_file = "/etc/pki/tls/private/cert.key"
  tls_require_and_verify_client_cert = false
  tls_skip_verify = 1
}

listener "tcp" {
  address = "10.255.192.128:8200"
  tls_cert_file = "/etc/pki/tls/private/cert.crt"
  tls_key_file = "/etc/pki/tls/private/cert.key"
  tls_require_and_verify_client_cert = false
  tls_disable_client_certs = true
}

api_addr = "https://10.255.192.128:8200"
ui = true

Additional context
Like I said, I'm unable to escape the password using backslashes or single quotes or $(cat password.txt) or any other bash tricks, and url-encoding the exclamation in cURL doesn't help either. This command works when resetting the database password to abcdef and stops working again when using abcdef!

This is not a firewall issue, I'm getting login failures in the RDS console logs, and it's working otherwise.

I am also able to get the original password to work in a python script:

# python3
Python 3.6.8 (default, Apr  8 2019, 18:17:52)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import mysql.connector
>>> cnx = mysql.connector.connect(user='dbmaster', password='abcdef!', host='remote-host', port=1521, database='proddb')
>>> cur = cnx.cursor()
>>> cur.execute('SELECT 1;')
>>> cur.fetchall()
[(1,)]
@michelvocks michelvocks added bug Used to indicate a potential bug secret/database labels Nov 8, 2019
@michelvocks
Copy link
Contributor

#6752 seems to be related.

@ak-beep-boop
Copy link
Author

@michelvocks #6752 did seem related, but the solution to that thread (url encoding) did not seem to work. Perhaps I am doing the encoding wrong, could you provide an example?

It occurred to me that it may also be possible to use base64 encoding for these values. Does Vault support base64 for transport? Can it auto-detect and decode on the back end?

@twingate-blee
Copy link

I'm running into the same issue but with mysql-database-plugin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to indicate a potential bug secret/database
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants