Cassandra DB plugin: Allow special chars in usernames #11262

pcman312 · 2021-04-01T20:57:46Z

Allows special characters in usernames by updating the default change-password statement to include quotes around the username.

In the meantime, this can be worked around by specifying the root_rotation_statements field on the database config:

$ vault write database/config/cassandra \
    plugin_name=cassandra-database-plugin \
    hosts=127.0.0.1 \
    protocol_version=3 \
    username="vault-admin" \
    password="myreallysecurepassword" \
    allowed_roles="*" \
    root_rotation_statements="ALTER USER '{{username}}' WITH PASSWORD '{{password}}'"

Testing

Running this with an automated test is a bit tricky and the change is small enough I'm comfortable with some manual testing:

Before fix:

$ vault write database/config/cassandra \
    plugin_name=cassandra-database-plugin \
    hosts=127.0.0.1 \
    protocol_version=3 \
    username="vault-admin" \
    password="myreallysecurepassword"

$ vault write -force database/rotate-root/cassandra
Error writing data to database/rotate-root/cassandra: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/database/rotate-root/cassandra
Code: 500. Errors:

* 1 error occurred:
	* failed to update user: 1 error occurred:
	* line 1:16 mismatched input '-' expecting EOF (ALTER USER vault[-]...)

After fix:

$ vault write database/config/cassandra \
    plugin_name=cassandra-database-plugin \
    hosts=127.0.0.1 \
    protocol_version=3 \
    username="vault-admin" \
    password="myreallysecurepassword" \
    allowed_roles="*"

$ vault write -force database/rotate-root/cassandra
Success! Data written to: database/rotate-root/cassandra

Valarissa

Should we include a docs change to address the workaround for root credential rotation?

calvn · 2021-04-02T17:33:10Z

Can you add a changelog for this and milestone it under the appropriate release? Should this be a backport for 1.7.1?

pcman312 · 2021-04-06T20:34:45Z

@calvn Done.

pcman312 · 2021-04-16T17:23:22Z

@Valarissa re: docs: #11378

Allow special chars in usernames

6718467

pcman312 requested review from Valarissa, catsby and austingebauer April 1, 2021 21:00

Valarissa approved these changes Apr 1, 2021

View reviewed changes

austingebauer approved these changes Apr 2, 2021

View reviewed changes

calvn approved these changes Apr 2, 2021

View reviewed changes

Add changelog

10733ac

vercel bot had a problem deploying to Preview – vault April 6, 2021 20:30 Failure

vercel bot temporarily deployed to Preview – vault-storybook April 6, 2021 20:30 Inactive

pcman312 added this to the 1.7.1 milestone Apr 6, 2021

pcman312 added secret/database/cassandra bug Used to indicate a potential bug labels Apr 6, 2021

pcman312 merged commit a8b0a58 into master Apr 16, 2021

pcman312 deleted the cassandra-root-user branch April 16, 2021 20:01

pcman312 added a commit that referenced this pull request Apr 16, 2021

Cassandra DB plugin: Allow special chars in usernames (#11262)

1533f2d

pcman312 mentioned this pull request Apr 16, 2021

Backport (1.7.x): Cassandra DB plugin: Allow special chars in usernames (#11262) #11385

Merged

pcman312 added a commit that referenced this pull request Apr 19, 2021

Cassandra DB plugin: Allow special chars in usernames (#11262) (#11385)

224e04e

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cassandra DB plugin: Allow special chars in usernames #11262

Cassandra DB plugin: Allow special chars in usernames #11262

pcman312 commented Apr 1, 2021

Valarissa left a comment

calvn commented Apr 2, 2021

pcman312 commented Apr 6, 2021

pcman312 commented Apr 16, 2021

Cassandra DB plugin: Allow special chars in usernames #11262

Cassandra DB plugin: Allow special chars in usernames #11262

Conversation

pcman312 commented Apr 1, 2021

Testing

Valarissa left a comment

Choose a reason for hiding this comment

calvn commented Apr 2, 2021

pcman312 commented Apr 6, 2021

pcman312 commented Apr 16, 2021