Vault: [database/postgres] redshift compatibility

Created on 10 Jul 2017  路  6Comments  路  Source: hashicorp/vault

the database/postgres backend works perfectly with redshift, except for one requirement, that the password must contain at least one upper character.

The following will fail with invalid password, as {{password}} is all lower-case

CREATE USER "{{name}}" PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"

The following will work, but the password outputted by vault read does (for obvious reasons) not include the A. 

CREATE USER "{{name}}" PASSWORD 'A{{password}}' VALID UNTIL '{{expiration}}';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}"

Having the {{password}} output part of the password in uppercase (just character) would make it compatible.

Not sure what the best approach to fixing this would be.

If i can get some advice on how to best approach this, i can (probably) come up with a PR fixing it

picture jippi
👍2

Most helpful comment

Personally I would prefer the password generator to output something with upper and lower and digit by default, would most likely satisfy all these random silly requirements from different backends?

picture jippi on 10 Jul 2017
👍2

All 6 comments

Hey, thanks for bringing this up! There is currently no direct way to get back A{{password}} via vault read, so the current workaround would be to perform post-processing on your end with the password retrieved from vault read and prepend the character into the result.

The fix, at least from the database plugin side, would be to modify RandomAlphaNumericOfLen() from plugins/helper/database/credsutil/credsutil.go to enforce A1a (uppercase, number, lowercase).

Another approach is to fulfill that requirement at the backend level and return the prepended password as the result, similar to the way that HANA handles its password requirement: https://github.com/hashicorp/vault/blob/master/plugins/database/hana/hana.go#L110.

calvn picture calvn on 10 Jul 2017

It might be a good idea to just unilaterally make that hana modification.

jefferai picture jefferai on 10 Jul 2017
👍2

Personally I would prefer the password generator to output something with upper and lower and digit by default, would most likely satisfy all these random silly requirements from different backends?

jippi picture jippi on 10 Jul 2017
👍2

@jippi That's exactly what I was suggesting :-)

jefferai picture jefferai on 13 Jul 2017

@jefferai so a PR with simply prefixing the password uuid withA1a would be acceptabel ?

jippi picture jippi on 13 Jul 2017

For all plugins, yes.

jefferai picture jefferai on 13 Jul 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sochoa picture sochoa  路  39Comments
Miserlou picture Miserlou  路  45Comments
dreamcat4 picture dreamcat4  路  77Comments
jantman picture jantman  路  29Comments
SoMuchToGrok picture SoMuchToGrok  路  66Comments