Skip to content

Redshift database plugin support#7994

Closed
briankassouf wants to merge 8 commits into
masterfrom
redshift-db-plugin
Closed

Redshift database plugin support#7994
briankassouf wants to merge 8 commits into
masterfrom
redshift-db-plugin

Conversation

@briankassouf
Copy link
Copy Markdown
Contributor

@briankassouf briankassouf commented Dec 10, 2019
edited
Loading

This adds a redshift-database-plugin that uses the postgres plugin but lowercases the usernames. Fixes #4052

@malnick malnick self-requested a review December 10, 2019 01:34
@briankassouf briankassouf added this to the 1.4 milestone Dec 10, 2019
@malnick
Copy link
Copy Markdown
Contributor

malnick commented Dec 10, 2019

Going to test this against Redshift, thanks @briankassouf!

kalafut
kalafut reviewed Dec 10, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@kalafut kalafut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@malnick malnick self-assigned this Dec 12, 2019
@malnick
Copy link
Copy Markdown
Contributor

malnick commented Jan 6, 2020

Just as a note. In testing, I had to make modifications for the create statement:

./vault write database/config/redshift-db-test \                                                                                                                                                                                                                                        
      plugin_name="redshift-database-plugin" \
      allowed_roles=["my-role", "CAPS-my-role"] \
      connection_url="postgresql://{{username}}:{{password}}@redshift-cluster-1.cnbllhv6qngo.us-east-2.redshift.amazonaws.com:5439/dev" \
      username="vault" \
      password="asdASD123!"
  
  # test with lowercase role name
  vault write database/roles/my-role \
      db_name=redshift-db-test \
      creation_statements="CREATE USER \"{{name}}\" WITH PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
            GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
      default_ttl="1h" \
      max_ttl="24h"
  
  # test with uppercase role name
  vault write database/roles/CAPS-my-role \
      db_name=redshift-db-test \
      creation_statements="CREATE USER \"{{name}}\" WITH PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
            GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
      default_ttl="1h" \
      max_ttl="24h"

This fixes the upper case issues we were seeing before. However, revocation still doesn't work but I'll be working with the redshift team at AWS to get a revocation statement that fixes this.

@malnick
Copy link
Copy Markdown
Contributor

malnick commented Jan 7, 2020

I was able to get an e2e test for creating a role (one with and one without caps letters), test the role exists, and then revoke leases without error:

  #./vault secrets enable database                                                                                                                                                                                                                                                        
  export VAULT_ADDR=http://localhost:8200
  
  ./vault secrets enable database || true
  
  ./vault write database/config/redshift-db-test \
      plugin_name="redshift-database-plugin" \
      allowed_roles="my-role, CAPS-my-role" \
      connection_url="postgresql://{{username}}:{{password}}@redshift-cluster-2.cnbllhv6qngo.us-east-2.redshift.amazonaws.com:5439/dev" \
      username="vault" \
      password="asdASD123!"
  
  # test with lowercase role name
  # to revoke we need pg_user not pg_role
  vault write database/roles/my-role \
      db_name=redshift-db-test \
      creation_statements="CREATE USER \"{{name}}\" WITH PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
            GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
      revocation_statements="REVOKE ALL ON SCHEMA public FROM \"{{name}}\";"
      default_ttl="1h" \
      max_ttl="24h"
  
  ./vault read database/creds/my-role
  
  # test with uppercase role name
  vault write database/roles/CAPS-my-role \
      db_name=redshift-db-test \
      creation_statements="CREATE USER \"{{name}}\" WITH PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
            GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
      revocation_statements="REVOKE ALL ON SCHEMA public FROM \"{{name}}\";"
      default_ttl="1h" \
      max_ttl="24h"
  
  ./vault read database/creds/CAPS-my-role
  
  # test revoke
  ./vault lease revoke $(./vault read database/creds/my-role | grep lease_id | cut -d" " -f2- | tr -d '[:space:]')
  ./vault lease revoke $(./vault read database/creds/CAPS-my-role | grep lease_id | cut -d" " -f2- | tr -d '[:space:]')

I haven't poked at the database directly to ensure it does what I think it does, but Vault is no longer complaining about the lease not being revoked.

@malnick
Copy link
Copy Markdown
Contributor

malnick commented Jan 21, 2020

Closing in favor of #8144

@malnick malnick closed this Jan 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@malnick malnick Awaiting requested review from malnick

1 more reviewer

@kalafut kalafut kalafut left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@malnick malnick

Labels

secret/database

Projects

None yet

Milestone

1.4

Development

Successfully merging this pull request may close these issues.

[database/postgres] Vault generates credentials that do not work with AWS redshift

3 participants

@briankassouf @malnick @kalafut