[VAULT-3379] Add support for contained DBs in MSSQL root rotation and lease revocation#12839
Conversation
|
|
||
| // Check if DB is contained | ||
| if m.containedDB { | ||
| revokeStmt, err := db.PrepareContext(ctx, fmt.Sprintf("DROP USER IF EXISTS [%s]", username)) |
There was a problem hiding this comment.
Default user deletion query for contained DBs. Since there are no server logins or database logins, we can simply drop the user. User still needs permissions and this is only in the case that no revocation statements are provided
calvn
left a comment
calvn
left a comment
There was a problem hiding this comment.
updateUserPass on L346 can set a query that calls alterLoginSQL which contains ALTER LOGIN ... if changePass.Statements.Commands is empty. This may not work with contained DBs though.
@calvn good call! Updated to check if DB is contained on L346 |
calvn
left a comment
calvn
left a comment
There was a problem hiding this comment.
Looks good, but let's force an acceptance test re-run by passing TESTARGS="-count=1" as well.
* go: upgrade Go to 1.26.1 Signed-off-by: Ryan Cragun <me@ryan.ec> Co-authored-by: Ryan Cragun <me@ryan.ec>
3 participants
This PR adds a
containedDBfield to the Vault plugin's MSSQL implementation in order to support contained DBs like AzureSQL that do not allow cross DB queries and don't have server logins. This boolean field can be set to skip server login checks during root rotation and also execute a default user deletion query for lease revocation if no revocation statements are provided:Fixes #10806
Closes #12830
This PR also updates the dependency
github.com/denisenkom/go-mssqldbtov0.11.0and resolves panics in closing SQL connections. A bug in the tests where users were not being deleted after each test has also been fixed.TODO: Update docs to state the use of
containedDBand include the default user deletion query.Output from acceptance tests (need to follow setup steps listed here):