Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Combined Database Backend: Static Accounts #6680

Closed
wants to merge 76 commits into from
Closed

Conversation

catsby
Copy link
Contributor

@catsby catsby commented May 3, 2019

This is a WIP pull requests of an implementation of a new feature for the Combined Database Secret Backed:

Static Database Accounts with Automatic Rotation

This pull request introduces Static Accounts, adding support for managing traditional static credentials alongside our current dynamic credentials in the combined database secret backend, with automatic rotation. Static Accounts are Vault Roles that are associated with a specific username in a database that is automatically rotated by Vault on a user defined rotation period. To create a static account, users write to /database/static-roles/:static-role-name similar to the existing dynamic roles, and supply new fields specific to static accounts:

  • username (string, required): Name of the static user account for Vault to manage
  • rotation_period (string/int, required): Period for automatic credential rotation of the given username. Not valid unless used with "username".`
  • rotation_statements (list, required): Specifies the database statements to be executed to rotate the accounts credentials

After successful creation, requesting credentials for the static account is done by reading /database/static-creds/:static-role-name. The response contains the username, current password, the date and time of the last password rotation performed by Vault, and the approximate TTL for the current password until the next rotation. Each subsequent call to read the credentials will return the same password value, up until the TTL reaches zero and the rotation occurs.

Internally when static accounts are created they are added to an internal priority queue for tracking. Periodically (approximately every 5 seconds) the queue is checked for any accounts that require rotation. Accounts that need rotation are removed from the queue and have their passwords are rotated according to their rotation_statements. The new passwords are saved and the static account is then placed back onto the queue with newly calculated time-to-rotate based on the rotation_period and the current time.

This PR includes support for static accounts with the Postgres database backend only. Future database plugins can be added by fully implementing the new plugin methods that are added in this PR:

  • GenerateCredentials: returns a generated password according to the database plugin's GeneratePassword method
  • SetCredentials: instructs the database plugin to set the specified database user's password to a specific, given value

This pull request builds from an existing PR#6664, and is based off of the cdcr-priority-queue branch


catsby added 25 commits April 30, 2019 09:32
* master:
  Fixed Typo
  [Doc]: PKI Fix allowed_uri_sans spelling mistake (#6660)
  DynamoDB: Make Unlock key delete conditional on being old leader's (#6637)
  Fix hook by using env to discover the correct location of bash as sh doesn't have [[
…end, starting with PostgreSQL implementation
@catsby catsby force-pushed the cdcr-backend-grpc branch from 539331c to 2041814 Compare May 3, 2019 20:50
@catsby catsby changed the base branch from cdcr-priority-queue to master May 17, 2019 21:04
@catsby catsby force-pushed the cdcr-backend-grpc branch from 9c5dac6 to 35b66f2 Compare May 22, 2019 21:17
@catsby
Copy link
Contributor Author

catsby commented Jun 5, 2019

Closing in favor of #6834

@catsby catsby closed this Jun 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants