feature: multiplexing support for database plugins

Makefile

@@ -194,6 +194,7 @@ proto: bootstrap
 	protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative sdk/database/dbplugin/*.proto
 	protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative sdk/database/dbplugin/v5/proto/*.proto
 	protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative sdk/plugin/pb/*.proto
+	protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative sdk/helper/pluginutil/*.proto
 
 	# No additional sed expressions should be added to this list. Going forward
 	# we should just use the variable names choosen by protobuf. These are left

builtin/logical/database/backend.go

@@ -110,6 +110,7 @@ func Backend(conf *logical.BackendConfig) *databaseBackend {
 }
 
 type databaseBackend struct {
+	// connections holds configured database connections by config name
 	connections map[string]*dbPluginInstance
 	logger      log.Logger
 

builtin/logical/database/path_config_connection.go

@@ -329,6 +329,8 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc {
 		}
 		config.ConnectionDetails = initResp.Config
 
+		b.Logger().Debug("created database object", "name", name, "plugin_name", config.PluginName)
+
 		b.Lock()
 		defer b.Unlock()
 
@@ -365,6 +367,9 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc {
 				"Vault (or the sdk if using a custom plugin) to gain password policy support", config.PluginName))
 		}
 
+		if len(resp.Warnings) == 0 {
+			return nil, nil
+		}
 		return resp, nil
 	}
 }

changelog/14033.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+**Database plugin multiplexing**: manage multiple database connections with a single plugin process
+```

helper/builtinplugins/registry.go

@@ -150,8 +150,8 @@ type registry struct {
 	logicalBackends    map[string]logical.Factory
 }
 
-// Get returns the BuiltinFactory func for a particular backend plugin
-// from the plugins map.
+// Get returns the Factory func for a particular backend plugin from the
+// plugins map.
 func (r *registry) Get(name string, pluginType consts.PluginType) (func() (interface{}, error), bool) {
 	switch pluginType {
 	case consts.PluginTypeCredential:

plugins/database/postgresql/postgresql.go

@@ -48,7 +48,6 @@ var (
 	singleQuotedPhrases = regexp.MustCompile(`('.*?')`)
 )
 
-// New implements builtinplugins.BuiltinFactory
 func New() (interface{}, error) {
 	db := new()
 	// Wrap the plugin with middleware to sanitize errors

sdk/database/dbplugin/v5/grpc_database_plugin.go

@@ -5,21 +5,25 @@ import (
 
 	"github.com/hashicorp/go-plugin"
 	"github.com/hashicorp/vault/sdk/database/dbplugin/v5/proto"
+	"github.com/hashicorp/vault/sdk/helper/pluginutil"
 	"google.golang.org/grpc"
 )
 
 // handshakeConfigs are used to just do a basic handshake between
 // a plugin and host. If the handshake fails, a user friendly error is shown.
 // This prevents users from executing bad plugins or executing a plugin
 // directory. It is a UX feature, not a security feature.
-var handshakeConfig = plugin.HandshakeConfig{
-	ProtocolVersion:  5,
+var HandshakeConfig = plugin.HandshakeConfig{
 	MagicCookieKey:   "VAULT_DATABASE_PLUGIN",
 	MagicCookieValue: "926a0820-aea2-be28-51d6-83cdf00e8edb",
 }
 
+// Factory is the factory function to create a dbplugin Database.
+type Factory func() (interface{}, error)
+
 type GRPCDatabasePlugin struct {
-	Impl Database
+	FactoryFunc Factory
+	Impl        Database
 
 	// Embeding this will disable the netRPC protocol
 	plugin.NetRPCUnsupportedPlugin
@@ -31,7 +35,25 @@ var (
 )
 
 func (d GRPCDatabasePlugin) GRPCServer(_ *plugin.GRPCBroker, s *grpc.Server) error {
-	proto.RegisterDatabaseServer(s, gRPCServer{impl: d.Impl})
+	var server gRPCServer
+
+	if d.Impl != nil {
+		server = gRPCServer{singleImpl: d.Impl}
+	} else {
+		// multiplexing is supported
+		server = gRPCServer{
+			factoryFunc: d.FactoryFunc,
+			instances:   make(map[string]Database),
+		}
+
+		// Multiplexing is enabled for this plugin, register the server so we
+		// can tell the client in Vault.
+		pluginutil.RegisterPluginMultiplexingServer(s, pluginutil.PluginMultiplexingServerImpl{
+			Supported: true,
+		})
+	}
+
+	proto.RegisterDatabaseServer(s, &server)
 	return nil
 }