-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Combined Database Backend: Static Accounts #6680
Closed
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… Other cleanup after feedback
…base backend gPRC
…nd automatic rotation
…end, starting with PostgreSQL implementation
Co-Authored-By: Brian Kassouf <[email protected]>
…dcr-backend-grpc * 'cdcr-backend-grpc' of github.com:hashicorp/vault: Update builtin/logical/database/path_rotate_credentials.go
…s cannot share a name
…uct to consolidate where we're calling set credentials
Co-Authored-By: Brian Kassouf <[email protected]>
Co-Authored-By: Jim Kalafut <[email protected]>
…dcr-backend-grpc * 'cdcr-backend-grpc' of github.com:hashicorp/vault: Update builtin/logical/database/path_roles.go
…des for dynamic/static roles by type
Closing in favor of #6834 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a WIP pull requests of an implementation of a new feature for the Combined Database Secret Backed:
Static Database Accounts with Automatic Rotation
This pull request introduces Static Accounts, adding support for managing traditional static credentials alongside our current dynamic credentials in the combined database secret backend, with automatic rotation. Static Accounts are Vault Roles that are associated with a specific username in a database that is automatically rotated by Vault on a user defined rotation period. To create a static account, users write to
/database/static-roles/:static-role-name
similar to the existing dynamic roles, and supply new fields specific to static accounts:username
(string, required): Name of the static user account for Vault to managerotation_period
(string/int, required): Period for automatic credential rotation of the given username. Not valid unless used with "username".`rotation_statements
(list, required): Specifies the database statements to be executed to rotate the accounts credentialsAfter successful creation, requesting credentials for the static account is done by reading
/database/static-creds/:static-role-name
. The response contains theusername
, current password, the date and time of the last password rotation performed by Vault, and the approximate TTL for the current password until the next rotation. Each subsequent call to read the credentials will return the same password value, up until the TTL reaches zero and the rotation occurs.Internally when static accounts are created they are added to an internal priority queue for tracking. Periodically (approximately every 5 seconds) the queue is checked for any accounts that require rotation. Accounts that need rotation are removed from the queue and have their passwords are rotated according to their
rotation_statements
. The new passwords are saved and the static account is then placed back onto the queue with newly calculated time-to-rotate based on therotation_period
and the current time.This PR includes support for static accounts with the Postgres database backend only. Future database plugins can be added by fully implementing the new plugin methods that are added in this PR:
GenerateCredentials
: returns a generated password according to the database plugin'sGeneratePassword
methodSetCredentials
: instructs the database plugin to set the specified database user's password to a specific, given valueThis pull request builds from an existing PR#6664, and is based off of the cdcr-priority-queue branch