diff --git a/builtin/logical/database/dbplugin/database.pb.go b/builtin/logical/database/dbplugin/database.pb.go index 06450ce55d..26b1214dd4 100644 --- a/builtin/logical/database/dbplugin/database.pb.go +++ b/builtin/logical/database/dbplugin/database.pb.go @@ -699,49 +699,49 @@ var _Database_serviceDesc = grpc.ServiceDesc{ func init() { proto.RegisterFile("builtin/logical/database/dbplugin/database.proto", fileDescriptor0) } var fileDescriptor0 = []byte{ - // 690 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0x41, 0x4f, 0xdb, 0x4a, - 0x10, 0x96, 0x93, 0x00, 0xc9, 0x80, 0x80, 0xec, 0x03, 0x64, 0xf9, 0xf1, 0xde, 0x43, 0x3e, 0xf0, - 0x40, 0x95, 0xe2, 0x0a, 0x5a, 0xb5, 0xe2, 0xd0, 0xaa, 0x0a, 0x55, 0x55, 0xa9, 0xe2, 0xb0, 0xc0, - 0xad, 0x12, 0xda, 0x38, 0x43, 0xba, 0xc2, 0xf1, 0xba, 0xde, 0x0d, 0x34, 0xfd, 0x03, 0xed, 0xcf, - 0xe8, 0x4f, 0xe9, 0xb1, 0x3f, 0xab, 0xf2, 0xda, 0x6b, 0x6f, 0x62, 0x28, 0x07, 0xda, 0x9b, 0x67, - 0xe6, 0xfb, 0x66, 0xbe, 0x9d, 0x9d, 0x59, 0xc3, 0xe3, 0xc1, 0x84, 0x47, 0x8a, 0xc7, 0x41, 0x24, - 0x46, 0x3c, 0x64, 0x51, 0x30, 0x64, 0x8a, 0x0d, 0x98, 0xc4, 0x60, 0x38, 0x48, 0xa2, 0xc9, 0x88, - 0xc7, 0xa5, 0xa7, 0x97, 0xa4, 0x42, 0x09, 0xd2, 0x36, 0x01, 0xef, 0xbf, 0x91, 0x10, 0xa3, 0x08, - 0x03, 0xed, 0x1f, 0x4c, 0x2e, 0x03, 0xc5, 0xc7, 0x28, 0x15, 0x1b, 0x27, 0x39, 0xd4, 0x7f, 0x0f, - 0xdd, 0xb7, 0x31, 0x57, 0x9c, 0x45, 0xfc, 0x33, 0x52, 0xfc, 0x38, 0x41, 0xa9, 0xc8, 0x16, 0x2c, - 0x86, 0x22, 0xbe, 0xe4, 0x23, 0xd7, 0xd9, 0x71, 0xf6, 0x56, 0x68, 0x61, 0x91, 0x47, 0xd0, 0xbd, - 0xc6, 0x94, 0x5f, 0x4e, 0x2f, 0x42, 0x11, 0xc7, 0x18, 0x2a, 0x2e, 0x62, 0xb7, 0xb1, 0xe3, 0xec, - 0xb5, 0xe9, 0x7a, 0x1e, 0xe8, 0x97, 0xfe, 0xa3, 0x86, 0xeb, 0xf8, 0x14, 0x96, 0xb3, 0xec, 0xbf, - 0x33, 0xaf, 0xff, 0xc3, 0x81, 0x6e, 0x3f, 0x45, 0xa6, 0xf0, 0x5c, 0x62, 0x6a, 0x52, 0x3f, 0x01, - 0x90, 0x8a, 0x29, 0x1c, 0x63, 0xac, 0xa4, 0x4e, 0xbf, 0x7c, 0xb0, 0xd1, 0x33, 0x7d, 0xe8, 0x9d, - 0x96, 0x31, 0x6a, 0xe1, 0xc8, 0x2b, 0x58, 0x9b, 0x48, 0x4c, 0x63, 0x36, 0xc6, 0x8b, 0x42, 0x59, - 0x43, 0x53, 0xdd, 0x8a, 0x7a, 0x5e, 0x00, 0xfa, 0x3a, 0x4e, 0x57, 0x27, 0x33, 0x36, 0x39, 0x02, - 0xc0, 0x4f, 0x09, 0x4f, 0x99, 0x16, 0xdd, 0xd4, 0x6c, 0xaf, 0x97, 0xb7, 0xbd, 0x67, 0xda, 0xde, - 0x3b, 0x33, 0x6d, 0xa7, 0x16, 0xda, 0xff, 0xe6, 0xc0, 0x3a, 0xc5, 0x18, 0x6f, 0x1e, 0x7e, 0x12, - 0x0f, 0xda, 0x46, 0x98, 0x3e, 0x42, 0x87, 0x96, 0xf6, 0x83, 0x24, 0x22, 0x74, 0x29, 0x5e, 0x8b, - 0x2b, 0xfc, 0xa3, 0x12, 0xfd, 0x17, 0xb0, 0x4d, 0x45, 0x06, 0xa5, 0x42, 0xa8, 0x7e, 0x8a, 0x43, - 0x8c, 0xb3, 0x99, 0x94, 0xa6, 0xe2, 0xbf, 0x73, 0x15, 0x9b, 0x7b, 0x1d, 0x3b, 0xb7, 0xff, 0xbd, - 0x01, 0x50, 0x95, 0x25, 0x01, 0xfc, 0x15, 0x66, 0x23, 0xc2, 0x45, 0x7c, 0x31, 0xa7, 0xb4, 0x43, - 0x89, 0x09, 0x59, 0x84, 0x43, 0xd8, 0x4c, 0xf1, 0x5a, 0x84, 0x35, 0x4a, 0x2e, 0x74, 0xa3, 0x0a, - 0xce, 0x56, 0x49, 0x45, 0x14, 0x0d, 0x58, 0x78, 0x65, 0x53, 0x9a, 0x79, 0x15, 0x13, 0xb2, 0x08, - 0xfb, 0xb0, 0x9e, 0x66, 0xd7, 0x6d, 0xa3, 0x5b, 0x1a, 0xbd, 0xa6, 0xfd, 0xa7, 0x33, 0xcd, 0x32, - 0x32, 0xdd, 0x05, 0x7d, 0xdc, 0xd2, 0xce, 0x9a, 0x51, 0xe9, 0x71, 0x17, 0xf3, 0x66, 0x54, 0x9e, - 0x8c, 0x6b, 0x8a, 0xbb, 0x4b, 0x39, 0xd7, 0xd8, 0xc4, 0x85, 0x25, 0x5d, 0x8a, 0x45, 0x6e, 0x5b, - 0x87, 0x8c, 0xe9, 0x9f, 0xc0, 0xea, 0xec, 0xa8, 0x93, 0x1d, 0x58, 0x3e, 0xe6, 0x32, 0x89, 0xd8, - 0xf4, 0x24, 0xbb, 0xb3, 0xbc, 0x7b, 0xb6, 0x2b, 0xab, 0x44, 0x45, 0x84, 0x27, 0xd6, 0x95, 0x1a, - 0xdb, 0xdf, 0x85, 0x95, 0x7c, 0xf7, 0x65, 0x22, 0x62, 0x89, 0x77, 0x2d, 0xbf, 0xff, 0x0e, 0x88, - 0xbd, 0xce, 0x05, 0xda, 0x1e, 0x16, 0x67, 0x6e, 0x9e, 0x3d, 0x68, 0x27, 0x4c, 0xca, 0x1b, 0x91, - 0x0e, 0x4d, 0x55, 0x63, 0xfb, 0x3e, 0xac, 0x9c, 0x4d, 0x13, 0x2c, 0xf3, 0x10, 0x68, 0xa9, 0x69, - 0x62, 0x72, 0xe8, 0x6f, 0xff, 0x19, 0xfc, 0x73, 0xc7, 0xb0, 0xdd, 0x23, 0x75, 0x09, 0x16, 0x5e, - 0x8f, 0x13, 0x35, 0x3d, 0xf8, 0xd2, 0x82, 0xf6, 0x71, 0xf1, 0xe6, 0x92, 0x00, 0x5a, 0x59, 0x49, - 0xb2, 0x56, 0x6d, 0x80, 0x46, 0x79, 0x5b, 0x95, 0x63, 0x46, 0xd3, 0x1b, 0x80, 0xea, 0xc4, 0xe4, - 0xef, 0x0a, 0x55, 0x7b, 0xd6, 0xbc, 0xed, 0xdb, 0x83, 0x45, 0xa2, 0xe7, 0xd0, 0x29, 0x9f, 0x0f, - 0xe2, 0x55, 0xd0, 0xf9, 0x37, 0xc5, 0x9b, 0x97, 0x96, 0x3d, 0x09, 0xd5, 0x5a, 0xdb, 0x12, 0x6a, - 0xcb, 0x5e, 0xe7, 0x7e, 0x80, 0xcd, 0x5b, 0xdb, 0x47, 0x76, 0xad, 0x34, 0xbf, 0x58, 0x66, 0xef, - 0xff, 0x7b, 0x71, 0xc5, 0xf9, 0x9e, 0x42, 0x2b, 0x1b, 0x21, 0xb2, 0x59, 0x11, 0xac, 0xdf, 0x89, - 0xdd, 0xdf, 0x99, 0x49, 0xdb, 0x87, 0x85, 0x7e, 0x24, 0xe4, 0x2d, 0x37, 0x52, 0x3b, 0xcb, 0x4b, - 0x80, 0xea, 0xf7, 0x67, 0xf7, 0xa1, 0xf6, 0x53, 0xac, 0x71, 0xfd, 0xe6, 0xd7, 0x86, 0x33, 0x58, - 0xd4, 0xef, 0xe7, 0xe1, 0xcf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xa7, 0x13, 0xfe, 0x55, 0xa5, 0x07, - 0x00, 0x00, + // 694 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0x51, 0x4f, 0x13, 0x4f, + 0x10, 0xcf, 0xb5, 0x05, 0xda, 0x81, 0x00, 0xdd, 0x3f, 0x90, 0xcb, 0xfd, 0x51, 0xc9, 0x3d, 0x20, + 0xc6, 0xd8, 0x1a, 0xd0, 0x60, 0x78, 0xd0, 0x68, 0x31, 0xc6, 0xc4, 0xf0, 0xb0, 0xc0, 0x9b, 0x09, + 0xd9, 0xb6, 0x43, 0xdd, 0x70, 0xbd, 0x3d, 0x6f, 0xb7, 0x60, 0xfd, 0x02, 0xfa, 0x31, 0xfc, 0x38, + 0x3e, 0xfa, 0x91, 0xcc, 0x6d, 0x6f, 0x6f, 0xb7, 0x3d, 0x90, 0x07, 0xf4, 0xed, 0x66, 0x67, 0x7e, + 0x33, 0xbf, 0xf9, 0xed, 0xec, 0x1c, 0x3c, 0xed, 0x8e, 0x78, 0xa4, 0x78, 0xdc, 0x8e, 0xc4, 0x80, + 0xf7, 0x58, 0xd4, 0xee, 0x33, 0xc5, 0xba, 0x4c, 0x62, 0xbb, 0xdf, 0x4d, 0xa2, 0xd1, 0x80, 0xc7, + 0xc5, 0x49, 0x2b, 0x49, 0x85, 0x12, 0xa4, 0x6e, 0x1c, 0xc1, 0x83, 0x81, 0x10, 0x83, 0x08, 0xdb, + 0xfa, 0xbc, 0x3b, 0x3a, 0x6f, 0x2b, 0x3e, 0x44, 0xa9, 0xd8, 0x30, 0x99, 0x84, 0x86, 0x1f, 0xa1, + 0xf9, 0x3e, 0xe6, 0x8a, 0xb3, 0x88, 0x7f, 0x45, 0x8a, 0x9f, 0x47, 0x28, 0x15, 0xd9, 0x80, 0xf9, + 0x9e, 0x88, 0xcf, 0xf9, 0xc0, 0xf7, 0xb6, 0xbc, 0x9d, 0x25, 0x9a, 0x5b, 0xe4, 0x31, 0x34, 0x2f, + 0x31, 0xe5, 0xe7, 0xe3, 0xb3, 0x9e, 0x88, 0x63, 0xec, 0x29, 0x2e, 0x62, 0xbf, 0xb2, 0xe5, 0xed, + 0xd4, 0xe9, 0xea, 0xc4, 0xd1, 0x29, 0xce, 0x0f, 0x2a, 0xbe, 0x17, 0x52, 0x58, 0xcc, 0xb2, 0xff, + 0xcd, 0xbc, 0xe1, 0x4f, 0x0f, 0x9a, 0x9d, 0x14, 0x99, 0xc2, 0x53, 0x89, 0xa9, 0x49, 0xfd, 0x0c, + 0x40, 0x2a, 0xa6, 0x70, 0x88, 0xb1, 0x92, 0x3a, 0xfd, 0xe2, 0xee, 0x5a, 0xcb, 0xe8, 0xd0, 0x3a, + 0x2e, 0x7c, 0xd4, 0x89, 0x23, 0xaf, 0x61, 0x65, 0x24, 0x31, 0x8d, 0xd9, 0x10, 0xcf, 0x72, 0x66, + 0x15, 0x0d, 0xf5, 0x2d, 0xf4, 0x34, 0x0f, 0xe8, 0x68, 0x3f, 0x5d, 0x1e, 0x4d, 0xd9, 0xe4, 0x00, + 0x00, 0xbf, 0x24, 0x3c, 0x65, 0x9a, 0x74, 0x55, 0xa3, 0x83, 0xd6, 0x44, 0xf6, 0x96, 0x91, 0xbd, + 0x75, 0x62, 0x64, 0xa7, 0x4e, 0x74, 0xf8, 0xc3, 0x83, 0x55, 0x8a, 0x31, 0x5e, 0xdd, 0xbd, 0x93, + 0x00, 0xea, 0x86, 0x98, 0x6e, 0xa1, 0x41, 0x0b, 0xfb, 0x4e, 0x14, 0x11, 0x9a, 0x14, 0x2f, 0xc5, + 0x05, 0xfe, 0x53, 0x8a, 0xe1, 0x4b, 0xd8, 0xa4, 0x22, 0x0b, 0xa5, 0x42, 0xa8, 0x4e, 0x8a, 0x7d, + 0x8c, 0xb3, 0x99, 0x94, 0xa6, 0xe2, 0xfd, 0x99, 0x8a, 0xd5, 0x9d, 0x86, 0x9b, 0x3b, 0xfc, 0x55, + 0x01, 0xb0, 0x65, 0xc9, 0x1e, 0xfc, 0xd7, 0xcb, 0x46, 0x84, 0x8b, 0xf8, 0x6c, 0x86, 0x69, 0xe3, + 0x4d, 0xc5, 0xf7, 0x28, 0x31, 0x6e, 0x07, 0xb4, 0x0f, 0xeb, 0x29, 0x5e, 0x8a, 0x5e, 0x09, 0x56, + 0x29, 0x60, 0x6b, 0x36, 0x60, 0xba, 0x5a, 0x2a, 0xa2, 0xa8, 0xcb, 0x7a, 0x17, 0x2e, 0xac, 0x6a, + 0xab, 0x19, 0xb7, 0x03, 0x7a, 0x02, 0xab, 0x69, 0x76, 0xf5, 0x2e, 0xa2, 0x56, 0x20, 0x56, 0xb4, + 0xef, 0x78, 0x4a, 0x3c, 0x43, 0xd9, 0x9f, 0xd3, 0xed, 0x17, 0x76, 0x26, 0x8e, 0xe5, 0xe5, 0xcf, + 0x4f, 0xc4, 0xb1, 0x27, 0x19, 0xd6, 0x10, 0xf0, 0x17, 0x26, 0x58, 0x63, 0x13, 0x1f, 0x16, 0x74, + 0x29, 0x16, 0xf9, 0x75, 0xed, 0x32, 0x66, 0x78, 0x04, 0xcb, 0xd3, 0xa3, 0x4f, 0xb6, 0x60, 0xf1, + 0x90, 0xcb, 0x24, 0x62, 0xe3, 0xa3, 0xec, 0x0e, 0xb5, 0x9a, 0xd4, 0x3d, 0xca, 0x2a, 0x51, 0x11, + 0xe1, 0x91, 0x73, 0xc5, 0xc6, 0x0e, 0xb7, 0x61, 0x69, 0xb2, 0x0b, 0x64, 0x22, 0x62, 0x89, 0x37, + 0x2d, 0x83, 0xf0, 0x03, 0x10, 0xf7, 0x79, 0xe7, 0xd1, 0xee, 0xf0, 0x78, 0x33, 0xf3, 0x1d, 0x40, + 0x3d, 0x61, 0x52, 0x5e, 0x89, 0xb4, 0x6f, 0xaa, 0x1a, 0x3b, 0x0c, 0x61, 0xe9, 0x64, 0x9c, 0x60, + 0x91, 0x87, 0x40, 0x4d, 0x8d, 0x13, 0x93, 0x43, 0x7f, 0x87, 0xfb, 0x70, 0xef, 0x86, 0xe1, 0xbb, + 0x85, 0xea, 0x02, 0xcc, 0xbd, 0x1d, 0x26, 0x6a, 0xbc, 0xfb, 0xad, 0x06, 0xf5, 0xc3, 0x7c, 0x07, + 0x93, 0x36, 0xd4, 0xb2, 0x92, 0x64, 0xc5, 0xbe, 0x08, 0x1d, 0x15, 0x6c, 0xd8, 0x83, 0x29, 0x4e, + 0xef, 0x00, 0x6c, 0xc7, 0xe4, 0x7f, 0x1b, 0x55, 0x5a, 0x73, 0xc1, 0xe6, 0xf5, 0xce, 0x3c, 0xd1, + 0x0b, 0x68, 0x14, 0xeb, 0x84, 0x04, 0x36, 0x74, 0x76, 0xc7, 0x04, 0xb3, 0xd4, 0xb2, 0x15, 0x61, + 0x9f, 0xb9, 0x4b, 0xa1, 0xf4, 0xf8, 0xcb, 0xd8, 0x4f, 0xb0, 0x7e, 0xad, 0x7c, 0x64, 0xdb, 0x49, + 0xf3, 0x87, 0xc7, 0x1d, 0x3c, 0xbc, 0x35, 0x2e, 0xef, 0xef, 0x39, 0xd4, 0xb2, 0x11, 0x22, 0xeb, + 0x16, 0xe0, 0xfc, 0x5e, 0x5c, 0x7d, 0xa7, 0x26, 0xed, 0x11, 0xcc, 0x75, 0x22, 0x21, 0xaf, 0xb9, + 0x91, 0x52, 0x2f, 0xaf, 0x00, 0xec, 0xef, 0xd0, 0xd5, 0xa1, 0xf4, 0x93, 0x2c, 0x61, 0xc3, 0xea, + 0xf7, 0x8a, 0xd7, 0x9d, 0xd7, 0xfb, 0x74, 0xef, 0x77, 0x00, 0x00, 0x00, 0xff, 0xff, 0x16, 0x83, + 0xe7, 0x77, 0xb5, 0x07, 0x00, 0x00, } diff --git a/builtin/logical/database/dbplugin/database.proto b/builtin/logical/database/dbplugin/database.proto index 52d7c8c228..6914210ad0 100644 --- a/builtin/logical/database/dbplugin/database.proto +++ b/builtin/logical/database/dbplugin/database.proto @@ -37,13 +37,13 @@ message RotateRootCredentialsRequest { message Statements { // DEPRECATED, will be removed in 0.12 - string creation_statements = 1; + string creation_statements = 1 [deprecated=true]; // DEPRECATED, will be removed in 0.12 - string revocation_statements = 2; + string revocation_statements = 2 [deprecated=true]; // DEPRECATED, will be removed in 0.12 - string rollback_statements = 3; + string rollback_statements = 3 [deprecated=true]; // DEPRECATED, will be removed in 0.12 - string renew_statements = 4; + string renew_statements = 4 [deprecated=true]; repeated string creation = 5; repeated string revocation = 6; diff --git a/website/source/api/secret/databases/cassandra.html.md b/website/source/api/secret/databases/cassandra.html.md index efb3e7aba3..c5d5e67579 100644 --- a/website/source/api/secret/databases/cassandra.html.md +++ b/website/source/api/secret/databases/cassandra.html.md @@ -110,7 +110,7 @@ API](/api/secret/databases/index.html#create-role) in the database secrets engin The following are the statements used by this plugin. If not mentioned in this list the plugin does not support that statement type. -- `creation_statements` `(string: "")` – Specifies the database +- `creation_statements` `(list: [])` – Specifies the database statements executed to create and configure a user. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string @@ -118,13 +118,13 @@ list the plugin does not support that statement type. provided, defaults to a generic create user statements that creates a non-superuser. -- `revocation_statements` `(string: "")` – Specifies the database statements to +- `revocation_statements` `(list: [])` – Specifies the database statements to be executed to revoke a user. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string array. The '{{name}}' value will be substituted. If not provided defaults to a generic drop user statement. -- `rollback_statements` `(string: "")` – Specifies the database statements to be +- `rollback_statements` `(list: [])` – Specifies the database statements to be executed to rollback a create operation in the event of an error. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string diff --git a/website/source/api/secret/databases/hanadb.html.md b/website/source/api/secret/databases/hanadb.html.md index cff0004958..1802d7f125 100644 --- a/website/source/api/secret/databases/hanadb.html.md +++ b/website/source/api/secret/databases/hanadb.html.md @@ -23,7 +23,10 @@ has a number of parameters to further configure a connection. | `POST` | `/database/config/:name` | `204 (empty body)` | ### Parameters -- `connection_url` `(string: )` - Specifies the HANA DSN. +- `connection_url` `(string: )` - Specifies the HANA DSN. This field + can be templated and supports passing the username and password + parameters in the following format {{field_name}}. A templated connection URL is + required when using root credential rotation. - `max_open_connections` `(int: 2)` - Specifies the maximum number of open connections to the database. @@ -36,15 +39,21 @@ has a number of parameters to further configure a connection. - `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of time a connection may be reused. If <= 0s connections are reused forever. +- `username` `(string: "")` - The root credential username used in the connection URL. + +- `password` `(string: "")` - The root credential password used in the connection URL. + ### Sample Payload ```json { "plugin_name": "hana-database-plugin", "allowed_roles": "readonly", - "connection_url": "hdb://username:password@localhost:1433", + "connection_url": "hdb://{{username}}:{{password}}@localhost:1433", "max_open_connections": 5, "max_connection_lifetime": "5s", + "username": "username", + "password": "password } ``` @@ -70,7 +79,7 @@ API](/api/secret/databases/index.html#create-role) in the database secrets engin The following are the statements used by this plugin. If not mentioned in this list the plugin does not support that statement type. -- `creation_statements` `(string: )` – Specifies the database +- `creation_statements` `(llist: )` – Specifies the database statements executed to create and configure a user. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string @@ -79,7 +88,7 @@ list the plugin does not support that statement type. - The expiration time will be HANA server time plus the role's `default_ttl`. If `default_ttl` is 0 or not set, a SQL HdbError 438 will be returned. -- `revocation_statements` `(string: "")` – Specifies the database statements to +- `revocation_statements` `(list: [])` – Specifies the database statements to be executed to revoke a user. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string array. The '{{name}}' value will be diff --git a/website/source/api/secret/databases/index.html.md b/website/source/api/secret/databases/index.html.md index ac8b8d683b..ba1114029d 100644 --- a/website/source/api/secret/databases/index.html.md +++ b/website/source/api/secret/databases/index.html.md @@ -39,9 +39,12 @@ list of additional parameters. - `verify_connection` `(bool: true)` – Specifies if the connection is verified during initial configuration. Defaults to true. -- `allowed_roles` `(slice: [])` - Array or comma separated string of the roles - allowed to use this connection. Defaults to empty (no roles), if contains a - "*" any role can use this connection. +- `allowed_roles` `(list: [])` - List of the roles allowed to use this connection. + Defaults to empty (no roles), if contains a "*" any role can use this connection. + +- `root_rotation_statements` `(list: [])` - Specifies the database statements to be + executed to rotate the root user's credentials. See the plugin's API page for more + information on support and formatting for this parameter. ### Sample Payload @@ -49,7 +52,9 @@ list of additional parameters. { "plugin_name": "mysql-database-plugin", "allowed_roles": "readonly", - "connection_url": "root:mysql@tcp(127.0.0.1:3306)/" + "connection_url": "{{username}}:{{password}}@tcp(127.0.0.1:3306)/", + "username": "root", + "password": "mysql" } ``` @@ -94,7 +99,8 @@ $ curl \ "readonly" ], "connection_details": { - "connection_url": "root:mysql@tcp(127.0.0.1:3306)/", + "connection_url": "{{username}}:{{password}}@tcp(127.0.0.1:3306)/", + "username": "root" }, "plugin_name": "mysql-database-plugin" }, @@ -174,6 +180,30 @@ $ curl \ http://127.0.0.1:8200/v1/database/reset/mysql ``` +## Rotate Root Credentials + +This endpoint is used to rotate the root superuser credentials stored for +the database connection. This user must have permissions to update its own +password. + +| Method | Path | Produces | +| :------- | :---------------------------- | :--------------------- | +| `POST` | `/database/rotate-root/:name` | `204 (empty body)` | + +### Parameters + +- `name` `(string: )` – Specifies the name of the connection to rotate. + This is specified as part of the URL. + +### Sample Request + +``` +$ curl \ + --header "X-Vault-Token: ..." \ + --request POST \ + http://127.0.0.1:8200/v1/database/rotate-root/mysql +``` + ## Create Role This endpoint creates or updates a role definition. @@ -198,20 +228,20 @@ This endpoint creates or updates a role definition. associated with this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to system/engine default TTL time. -- `creation_statements` `(string: )` – Specifies the database +- `creation_statements` `(list: )` – Specifies the database statements executed to create and configure a user. See the plugin's API page for more information on support and formatting for this parameter. -- `revocation_statements` `(string: "")` – Specifies the database statements to +- `revocation_statements` `(list: [])` – Specifies the database statements to be executed to revoke a user. See the plugin's API page for more information on support and formatting for this parameter. -- `rollback_statements` `(string: "")` – Specifies the database statements to be +- `rollback_statements` `(list: [])` – Specifies the database statements to be executed rollback a create operation in the event of an error. Not every plugin type will support this functionality. See the plugin's API page for more information on support and formatting for this parameter. -- `renew_statements` `(string: "")` – Specifies the database statements to be +- `renew_statements` `(list: [])` – Specifies the database statements to be executed to renew a user. Not every plugin type will support this functionality. See the plugin's API page for more information on support and formatting for this parameter. @@ -223,7 +253,7 @@ This endpoint creates or updates a role definition. ```json { "db_name": "mysql", - "creation_statements": "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';", + "creation_statements": ["CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'", "GRANT SELECT ON *.* TO '{{name}}'@'%'"], "default_ttl": "1h", "max_ttl": "24h" } @@ -265,13 +295,13 @@ $ curl \ ```json { "data": { - "creation_statements": "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";", + "creation_statements": ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"], "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"], "db_name": "mysql", "default_ttl": 3600, "max_ttl": 86400, - "renew_statements": "", - "revocation_statements": "", - "rollback_statements": "" + "renew_statements": [], + "revocation_statements": [], + "rollback_statements": [] }, } ``` diff --git a/website/source/api/secret/databases/mongodb.html.md b/website/source/api/secret/databases/mongodb.html.md index 6f16df18e7..26dce1a1cd 100644 --- a/website/source/api/secret/databases/mongodb.html.md +++ b/website/source/api/secret/databases/mongodb.html.md @@ -25,12 +25,16 @@ has a number of parameters to further configure a connection. ### Parameters - `connection_url` `(string: )` – Specifies the MongoDB standard - connection string (URI). + connection string (URI). This field can be templated and supports passing the + username and password parameters in the following format {{field_name}}. A + templated connection URL is required when using root credential rotation. - `write_concern` `(string: "")` - Specifies the MongoDB [write concern][mongodb-write-concern]. This is set for the entirety of the session, maintained for the lifecycle of the plugin process. Must be a serialized JSON object, or a base64-encoded serialized JSON object. The JSON payload values map to the values in the [Safe][mgo-safe] struct from the mgo driver. +- `username` `(string: "")` - The root credential username used in the connection URL. +- `password` `(string: "")` - The root credential password used in the connection URL. ### Sample Payload @@ -38,8 +42,10 @@ has a number of parameters to further configure a connection. { "plugin_name": "mongodb-database-plugin", "allowed_roles": "readonly", - "connection_url": "mongodb://admin:Password!@mongodb.acme.com:27017/admin?ssl=true", - "write_concern": "{ \"wmode\": \"majority\", \"wtimeout\": 5000 }" + "connection_url": "mongodb://{{username}}:{{password}}@mongodb.acme.com:27017/admin?ssl=true", + "write_concern": "{ \"wmode\": \"majority\", \"wtimeout\": 5000 }", + "username": "admin", + "password": "Password!" } ``` diff --git a/website/source/api/secret/databases/mssql.html.md b/website/source/api/secret/databases/mssql.html.md index 441e8b4514..2e4e61e261 100644 --- a/website/source/api/secret/databases/mssql.html.md +++ b/website/source/api/secret/databases/mssql.html.md @@ -23,7 +23,10 @@ has a number of parameters to further configure a connection. | `POST` | `/database/config/:name` | `204 (empty body)` | ### Parameters -- `connection_url` `(string: )` - Specifies the MSSQL DSN. +- `connection_url` `(string: )` - Specifies the MSSQL DSN. This field + can be templated and supports passing the username and password + parameters in the following format {{field_name}}. A templated connection URL is + required when using root credential rotation. - `max_open_connections` `(int: 2)` - Specifies the maximum number of open connections to the database. @@ -36,15 +39,21 @@ has a number of parameters to further configure a connection. - `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of time a connection may be reused. If <= 0s connections are reused forever. +- `username` `(string: "")` - The root credential username used in the connection URL. + +- `password` `(string: "")` - The root credential password used in the connection URL. + ### Sample Payload ```json { "plugin_name": "mssql-database-plugin", "allowed_roles": "readonly", - "connection_url": "sqlserver://sa:yourStrong(!)Password@localhost:1433", + "connection_url": "sqlserver://{{username}}:{{password}}@localhost:1433", "max_open_connections": 5, "max_connection_lifetime": "5s", + "username": "sa", + "password": "yourStrong(!)Password" } ``` @@ -70,13 +79,13 @@ API](/api/secret/databases/index.html#create-role) in the database secrets engin The following are the statements used by this plugin. If not mentioned in this list the plugin does not support that statement type. -- `creation_statements` `(string: )` – Specifies the database +- `creation_statements` `(list: )` – Specifies the database statements executed to create and configure a user. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string array. The '{{name}}' and '{{password}}' values will be substituted. -- `revocation_statements` `(string: "")` – Specifies the database statements to +- `revocation_statements` `(list: [])` – Specifies the database statements to be executed to revoke a user. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string array. The '{{name}}' value will be diff --git a/website/source/api/secret/databases/mysql-maria.html.md b/website/source/api/secret/databases/mysql-maria.html.md index bb7aa5e36e..24a9f8056d 100644 --- a/website/source/api/secret/databases/mysql-maria.html.md +++ b/website/source/api/secret/databases/mysql-maria.html.md @@ -23,7 +23,10 @@ has a number of parameters to further configure a connection. | `POST` | `/database/config/:name` | `204 (empty body)` | ### Parameters -- `connection_url` `(string: )` - Specifies the MySQL DSN. +- `connection_url` `(string: )` - Specifies the MySQL DSN. This field + can be templated and supports passing the username and password + parameters in the following format {{field_name}}. A templated connection URL is + required when using root credential rotation. - `max_open_connections` `(int: 2)` - Specifies the maximum number of open connections to the database. @@ -36,15 +39,21 @@ has a number of parameters to further configure a connection. - `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of time a connection may be reused. If <= 0s connections are reused forever. +- `username` `(string: "")` - The root credential username used in the connection URL. + +- `password` `(string: "")` - The root credential password used in the connection URL. + ### Sample Payload ```json { "plugin_name": "mysql-database-plugin", "allowed_roles": "readonly", - "connection_url": "root:mysql@tcp(127.0.0.1:3306)/", + "connection_url": "{{username}}:{{password}}@tcp(127.0.0.1:3306)/", "max_open_connections": 5, "max_connection_lifetime": "5s", + "username": "root", + "password": "mysql" } ``` @@ -70,13 +79,13 @@ API](/api/secret/databases/index.html#create-role) in the database secrets engin The following are the statements used by this plugin. If not mentioned in this list the plugin does not support that statement type. -- `creation_statements` `(string: )` – Specifies the database +- `creation_statements` `(list: )` – Specifies the database statements executed to create and configure a user. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string array. The '{{name}}' and '{{password}}' values will be substituted. -- `revocation_statements` `(string: "")` – Specifies the database statements to +- `revocation_statements` `(list: [])` – Specifies the database statements to be executed to revoke a user. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string array. The '{{name}}' value will be diff --git a/website/source/api/secret/databases/postgresql.html.md b/website/source/api/secret/databases/postgresql.html.md index 726d90709f..0efe5e3871 100644 --- a/website/source/api/secret/databases/postgresql.html.md +++ b/website/source/api/secret/databases/postgresql.html.md @@ -23,7 +23,10 @@ has a number of parameters to further configure a connection. | `POST` | `/database/config/:name` | `204 (empty body)` | ### Parameters -- `connection_url` `(string: )` - Specifies the PostgreSQL DSN. +- `connection_url` `(string: )` - Specifies the PostgreSQL DSN. This field + can be templated and supports passing the username and password + parameters in the following format {{field_name}}. A templated connection URL is + required when using root credential rotation. - `max_open_connections` `(int: 2)` - Specifies the maximum number of open connections to the database. @@ -36,15 +39,21 @@ has a number of parameters to further configure a connection. - `max_connection_lifetime` `(string: "0s")` - Specifies the maximum amount of time a connection may be reused. If <= 0s connections are reused forever. +- `username` `(string: "")` - The root credential username used in the connection URL. + +- `password` `(string: "")` - The root credential password used in the connection URL. + ### Sample Payload ```json { "plugin_name": "postgresql-database-plugin", "allowed_roles": "readonly", - "connection_url": "postgresql://root:root@localhost:5432/postgres", + "connection_url": "postgresql://{{username}}:{{password}}@localhost:5432/postgres", "max_open_connections": 5, "max_connection_lifetime": "5s", + "username": "username", + "password": "password" } ``` @@ -70,27 +79,27 @@ API](/api/secret/databases/index.html#create-role) in the database secrets engin The following are the statements used by this plugin. If not mentioned in this list the plugin does not support that statement type. -- `creation_statements` `(string: )` – Specifies the database +- `creation_statements` `(list: )` – Specifies the database statements executed to create and configure a user. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string array. The '{{name}}', '{{password}}' and '{{expiration}}' values will be substituted. -- `revocation_statements` `(string: "")` – Specifies the database statements to +- `revocation_statements` `(list: [])` – Specifies the database statements to be executed to revoke a user. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string array. The '{{name}}' value will be substituted. If not provided defaults to a generic drop user statement. -- `rollback_statements` `(string: "")` – Specifies the database statements to be +- `rollback_statements` `(list: [])` – Specifies the database statements to be executed rollback a create operation in the event of an error. Not every plugin type will support this functionality. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a base64-encoded serialized JSON string array. The '{{name}}' value will be substituted. -- `renew_statements` `(string: "")` – Specifies the database statements to be +- `renew_statements` `(list: [])` – Specifies the database statements to be executed to renew a user. Not every plugin type will support this functionality. Must be a semicolon-separated string, a base64-encoded semicolon-separated string, a serialized JSON string array, or a diff --git a/website/source/docs/secrets/databases/custom.html.md b/website/source/docs/secrets/databases/custom.html.md index 6314721e41..9f22eaa0a1 100644 --- a/website/source/docs/secrets/databases/custom.html.md +++ b/website/source/docs/secrets/databases/custom.html.md @@ -33,11 +33,11 @@ All plugins for the database secrets engine must implement the same simple inter ```go type Database interface { Type() (string, error) - CreateUser(statements Statements, usernameConfig UsernameConfig, expiration time.Time) (username string, password string, err error) - RenewUser(statements Statements, username string, expiration time.Time) error - RevokeUser(statements Statements, username string) error - - Initialize(config map[string]interface{}, verifyConnection bool) error + CreateUser(ctx context.Context, statements Statements, usernameConfig UsernameConfig, expiration time.Time) (username string, password string, err error) + RenewUser(ctx context.Context, statements Statements, username string, expiration time.Time) error + RevokeUser(ctx context.Context, statements Statements, username string) error + RotateRootCredentials(ctx context.Context, statements []string) (config map[string]interface{}, err error) + Init(ctx context.Context, config map[string]interface{}, verifyConnection bool) (saveConfig map[string]interface{}, err error) Close() error } ``` @@ -48,10 +48,10 @@ statements to the plugin on function call. The struct is defined as: ```go type Statements struct { - CreationStatements string - RevocationStatements string - RollbackStatements string - RenewStatements string + Creation []string + Revocation []string + Rollback []string + Renewal []string } ``` diff --git a/website/source/docs/secrets/databases/hanadb.html.md b/website/source/docs/secrets/databases/hanadb.html.md index c495649031..e2980cf4eb 100644 --- a/website/source/docs/secrets/databases/hanadb.html.md +++ b/website/source/docs/secrets/databases/hanadb.html.md @@ -34,8 +34,10 @@ more information about setting up the database secrets engine. ```text $ vault write database/config/my-hana-database \ plugin_name=hana-database-plugin \ - connection_url="hdb://username:password@localhost:1433" \ - allowed_roles="my-role" + connection_url="hdb://{{username}}:{{password}}@localhost:1433" \ + allowed_roles="my-role" \ + username="username" \ + password="password" ``` 1. Configure a role that maps a name in Vault to an SQL statement to execute to diff --git a/website/source/docs/secrets/databases/index.html.md b/website/source/docs/secrets/databases/index.html.md index de72dc81b6..ac1ed31239 100644 --- a/website/source/docs/secrets/databases/index.html.md +++ b/website/source/docs/secrets/databases/index.html.md @@ -48,7 +48,9 @@ management tool. $ vault write database/config/my-database \ plugin_name="..." \ connection_url="..." \ - allowed_roles="..." + allowed_roles="..." \ + username="..." \ + password="..." ``` This secrets engine can configure multiple database connections. For details diff --git a/website/source/docs/secrets/databases/mongodb.html.md b/website/source/docs/secrets/databases/mongodb.html.md index 3d8c5ab5ff..1dccaeb378 100644 --- a/website/source/docs/secrets/databases/mongodb.html.md +++ b/website/source/docs/secrets/databases/mongodb.html.md @@ -35,7 +35,9 @@ more information about setting up the database secrets engine. $ vault write database/config/my-mongodb-database \ plugin_name=mongodb-database-plugin \ allowed_roles="my-role" \ - connection_url="mongodb://admin:Password!@mongodb.acme.com:27017/admin?ssl=true" + connection_url="mongodb://{{username}}:{{password}}@mongodb.acme.com:27017/admin?ssl=true" \ + username="admin" \ + password="Password!" ``` 1. Configure a role that maps a name in Vault to an SQL statement to execute to diff --git a/website/source/docs/secrets/databases/mssql.html.md b/website/source/docs/secrets/databases/mssql.html.md index 2534314bdb..121fb197d9 100644 --- a/website/source/docs/secrets/databases/mssql.html.md +++ b/website/source/docs/secrets/databases/mssql.html.md @@ -35,8 +35,10 @@ more information about setting up the database secrets engine. ```text $ vault write database/config/my-mssql-database \ plugin_name=mssql-database-plugin \ - connection_url='sqlserver://sa:yourStrong(!)Password@localhost:1433' \ - allowed_roles="my-role" + connection_url='sqlserver://{{username}}:{{password}}@localhost:1433' \ + allowed_roles="my-role" \ + username="sa" \ + password="yourStrong(!)Password" ``` In this case, we've configured Vault with the user "sa" and password diff --git a/website/source/docs/secrets/databases/mysql-maria.html.md b/website/source/docs/secrets/databases/mysql-maria.html.md index 48770a90fa..3f549a1a66 100644 --- a/website/source/docs/secrets/databases/mysql-maria.html.md +++ b/website/source/docs/secrets/databases/mysql-maria.html.md @@ -44,8 +44,10 @@ more information about setting up the database secrets engine. ```text $ vault write database/config/my-mysql-database \ plugin_name=mysql-database-plugin \ - connection_url="root:mysql@tcp(127.0.0.1:3306)/" \ - allowed_roles="my-role" + connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \ + allowed_roles="my-role" \ + username="root" \ + password="mysql" ``` 1. Configure a role that maps a name in Vault to an SQL statement to execute to diff --git a/website/source/docs/secrets/databases/postgresql.html.md b/website/source/docs/secrets/databases/postgresql.html.md index 14a4734f97..fa07819962 100644 --- a/website/source/docs/secrets/databases/postgresql.html.md +++ b/website/source/docs/secrets/databases/postgresql.html.md @@ -35,7 +35,9 @@ more information about setting up the database secrets engine. $ vault write database/config/my-postgresql-database \ plugin_name=postgresql-database-plugin \ allowed_roles="my-role" \ - connection_url="postgresql://root:root@localhost:5432/" + connection_url="postgresql://{{username}}:{{password}}@localhost:5432/" \ + username="root" \ + password="root" ``` 1. Configure a role that maps a name in Vault to an SQL statement to execute to