Vault: Better usernames when using the database plugin
Environment:
- Vault Version: 1.3.2
- Operating System/Architecture: linux
Expected Behavior:
When the database plugin creates a database user. The user should have some identifiable information included.
Actual Behavior:
if the logged into vault is username 'simon', vault will create a database user something like
v-ldap-sim-sjaskljslkjs.
Important Factoids:
Ideally vault will create the vault users where you can quickly find who or what requested the user. For example if the username I logged into vault with was example.username, it would be great if that was included in the database user created with the random strings.
References:
https://www.vaultproject.io/docs/secrets/databases/
ghost
All 9 comments
Hi! Thanks for opening this issue!
Are you aware that you can specify your own user creation statement for the database? If you supply your own statement as briefly shown here, you could prepend or append the {{name}} field with identifying information.
tyrannosaurus-becks
on 13 Mar 2020
Hey @tyrannosaurus-becks
Thanks for the reply :) I thought the {{ name }} only got what this function returned from https://github.com/hashicorp/vault/blob/master/sdk/database/helper/credsutil/sql.go#L33
Would I be able to use any built in functions to get hold of the full display name and not the first n as per https://github.com/hashicorp/vault/blob/master/sdk/database/helper/credsutil/sql.go#L38
ghost
on 13 Mar 2020
Hi! You're right, you can't control what's in {{name}} - I was thinking of something more like, setting up something more like CREATE ROLE "from-foo-role-{{name}}". That of course would have the limitation of only giving role-level information, and not per-user information.
What kind of per-user information are you thinking it would be good to add to the username that would help you tie it back? The main identifying information that Vault has during credential generation is 1) the client token, and 2) the entity name, if an entity is associated with the login. (Entities are discussed here.)
Would it be like, if an entity is attached, include it in the generated username?
tyrannosaurus-becks
on 14 Mar 2020
Hi @tyrannosaurus-becks
I would say something like if the display name is not empty then include the whole display name rather than a portion of it which I think it just 3 chars right now.
So if I logged into vault using a ldap backend and my username was simon.macklin the display name would be something like ldap-simon.macklin then with the other parts of the string being v at the start and the random part at the end if would return roughly v-ldap-simon.macklin-sgsjaa82usjak
This would allow the DB admins to know who has access to the databases without having access to vault to cross reference the two if that makes sense.
Ideally we could make this the UsernameConfig struct configurable through the plugin configuration to allow people to adjust it according to their own requirements.
Simon
ghost
on 14 Mar 2020
Hi @tyrannosaurus-becks
Do you think a PR to adjust the return value of the GenerateUsername func would be accepted if the PR slightly adjusts the func to return a little more of the display name?
Simon
ghost
on 16 Mar 2020
@simonmacklin I do think so, as long as it also maintained backwards compatibility. If you do one, feel free to request my review.
tyrannosaurus-becks
on 16 Mar 2020
Thanks @tyrannosaurus-becks :)
ghost
on 16 Mar 2020
Hi @tyrannosaurus-becks
Hope you are well.
Do you think this PR would be acceptable? https://github.com/hashicorp/vault/pull/8582
ghost
on 18 Mar 2020
+1 for the issue of not knowing who is using the database.
What would really be awesome (I think) is if we could use the same templating as policies (https://www.vaultproject.io/docs/concepts/policies#templated-policies) when an entity is involved. So for example a connected kubernetes service could lend it's name (entity alias name for example) to the database username.
delamart
on 13 May 2020
Related issues
hashbrowncipher
路
65Comments
emk
路
79Comments
TopherGopher
路
36Comments
lbernail
路
31Comments
mwitkow
路
142Comments
Most helpful comment
Hi @tyrannosaurus-becks
I would say something like if the display name is not empty then include the whole display name rather than a portion of it which I think it just 3 chars right now.
So if I logged into vault using a ldap backend and my username was simon.macklin the display name would be something like ldap-simon.macklin then with the other parts of the string being v at the start and the random part at the end if would return roughly v-ldap-simon.macklin-sgsjaa82usjak
This would allow the DB admins to know who has access to the databases without having access to vault to cross reference the two if that makes sense.
Ideally we could make this the UsernameConfig struct configurable through the plugin configuration to allow people to adjust it according to their own requirements.
Simon