Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Combined Database Backend: Static Accounts #6834

Merged
merged 106 commits into from
Jun 19, 2019
Merged

Combined Database Backend: Static Accounts #6834

merged 106 commits into from
Jun 19, 2019

Conversation

catsby
Copy link
Contributor

@catsby catsby commented Jun 5, 2019

Static Database Accounts with Automatic Rotation

This pull request introduces Static Accounts, adding support for managing traditional static credentials alongside our current dynamic credentials in the combined database secret backend, with automatic rotation. Static Accounts are Vault Roles that are associated with a specific username in a database that is automatically rotated by Vault on a user defined rotation period. To create a static account, users write to /database/static-roles/:static-role-name similar to the existing dynamic roles, and supply new fields specific to static accounts:

  • username (string, required): Name of the static user account for Vault to manage
  • rotation_period (string/int, required): Period for automatic credential rotation of the given username. Not valid unless used with "username".`
  • rotation_statements (list, required): Specifies the database statements to be executed to rotate the accounts credentials

After successful creation, requesting credentials for the static account is done by reading /database/static-creds/:static-role-name. The response contains the username, current password, the date and time of the last password rotation performed by Vault, and the approximate TTL for the current password until the next rotation. Each subsequent call to read the credentials will return the same password value, up until the TTL reaches zero and the rotation occurs.

Internally when static accounts are created they are added to an internal priority queue for tracking. Periodically (approximately every 5 seconds) the queue is checked for any accounts that require rotation. Accounts that need rotation are removed from the queue and have their passwords are rotated according to their rotation_statements. The new passwords are saved and the static account is then placed back onto the queue with newly calculated time-to-rotate based on the rotation_period and the current time.

This PR includes support for static accounts with the Postgres database backend only. Future database plugins can be added by fully implementing the new plugin methods that are added in this PR:

  • GenerateCredentials: returns a generated password according to the database plugin's GeneratePassword method
  • SetCredentials: instructs the database plugin to set the specified database user's password to a specific, given value

This pull request builds continues/supersedes #6680

catsby added 30 commits April 30, 2019 09:32
@catsby
Add priority queue to sdk
561ce7b
@catsby
fix issue of storing pointers and now copy
4f6e85c
@catsby
update to use copy structure
d61d162
@catsby
Remove file, put Item struct def. into other file
d7e72bc
@catsby
add link
60f24bc
@catsby
clean up docs
e684708
@catsby
Merge branch 'master' into cdcr-priority-queue
dd454e5 
* master:
  Fixed Typo
  [Doc]: PKI Fix allowed_uri_sans spelling mistake (#6660)
  DynamoDB: Make Unlock key delete conditional on being old leader's (#6637)
  Fix hook by using env to discover the correct location of bash as sh doesn't have [[
@catsby
refactor internal data structure to hide heap method implementations.…
97ac24c 
… Other cleanup after feedback
@catsby
rename PushItem and PopItem to just Push/Pop, after encapsulating the…
f6ed9b9 
… heap methods
@catsby
updates after feedback
41ffc88
@catsby
refactoring/renaming
fbca439
@catsby
guard against pushing a nil item
5eb067c
@catsby
minor updates after feedback
47b4a4d
@catsby
Add SetCredentials, GenerateCredentials gRPC methods to combined data…
2c38dc6 
…base backend gPRC
@catsby
Initial Combined database backend implementation of static accounts a…
50b221b 
…nd automatic rotation
@catsby
vendor updates
0a3c56b
@catsby
initial implementation of static accounts with Combined database back…
5af0fdb 
…end, starting with PostgreSQL implementation
@catsby
add lock and setup of rotation queue
4d47b9a
@catsby
vendor the queue
c1ae80d
@catsby
rebase on new method signature of queue
42d01f8
@catsby
remove mongo tests for now
bebd2b5
@catsby
update default role sql
f94ffb8
@catsby
gofmt after rebase
784585d
@catsby
cleanup after rebasing to remove checks for ErrNotFound error
c006f1e
@catsby
rebase cdcr-priority-queue
2041814
@catsby
vendor dependencies with 'go mod vendor'
2ba681d
@catsby
website database docs for Static Role support
7a9774b
@catsby
document the rotate-role API endpoint
3aa9b09
@catsby
postgres specific static role docs
e4977bb
@catsby
use constants for paths
b701a4a
@catsby catsby requested a review from briankassouf June 13, 2019 17:45
chrishoffman
chrishoffman reviewed Jun 15, 2019
View reviewed changes
builtin/logical/database/rotation.go Outdated Show resolved Hide resolved
builtin/logical/database/path_roles.go Show resolved Hide resolved
builtin/logical/database/path_roles.go Show resolved Hide resolved
builtin/logical/database/path_roles.go Show resolved Hide resolved
builtin/logical/database/rotation.go Show resolved Hide resolved
builtin/logical/database/rotation.go Show resolved Hide resolved
@chrishoffman
Copy link
Contributor

Also there is a compilation error in one of the tests due to an unsatisfied interface https://circleci.com/gh/hashicorp/vault/2920#tests/containers/1.

@catsby
Copy link
Contributor Author

catsby commented Jun 17, 2019

@chrishoffman I added stubs for the missing methods in 779e195

chrishoffman
chrishoffman previously approved these changes Jun 18, 2019
View reviewed changes
chrishoffman
chrishoffman previously approved these changes Jun 18, 2019
View reviewed changes
catsby added 2 commits June 18, 2019 14:44
@catsby
Merge branch 'master' into cdcr-rotation
3f4df2e 
* master: (98 commits)
  Added a note about JWT (#6899)
  Update api and sdk to remove direct gogo dep
  Update sdk in api/
  Remove gogo proto from where it snuck in
  fix failing region test
  fix test
  Update api/sdk in main repo
  Bump API's SDK version
  Return integers, not floats, when reading token params
  Update description field for some token store role values to be accurate
  Bump api/sdk dep
  Bump api against latest sdk
  Update go-plugin dep
  changelog++
  Add a force capability to delete in the policy store
  Fix some tests
  add es docs to sidebars
  Upgrade github.com/lib/pq to pickup SCRAM-SHA-* methods (#6895)
  Update elasticdb.html.md
  update doc to 7.1.1
  ...
@catsby
restore master copy of vendor dir
d4d3af6
@catsby catsby dismissed briankassouf’s stale review June 18, 2019 20:34

I addressed Brian's feedback and got his approval to merge in a conversation off GitHub

@catsby catsby merged commit 35667f9 into master Jun 19, 2019
This was referenced Jun 19, 2019
Merged
Merged
Merged
Merged
@catsby catsby mentioned this pull request Jun 27, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrishoffman chrishoffman chrishoffman left review comments

@kalafut kalafut Awaiting requested review from kalafut

@briankassouf briankassouf Awaiting requested review from briankassouf

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catsby @chrishoffman @briankassouf