diff --git a/builtin/logical/mysql/path_role_create.go b/builtin/logical/mysql/path_role_create.go index ece4dc5846..369dee4d8f 100644 --- a/builtin/logical/mysql/path_role_create.go +++ b/builtin/logical/mysql/path_role_create.go @@ -2,7 +2,6 @@ package mysql import ( "fmt" - "math/rand" "time" "github.com/hashicorp/vault/logical" @@ -51,10 +50,15 @@ func (b *backend) pathRoleCreateRead( lease = &configLease{Lease: 1 * time.Hour} } - // Generate our username and password - username := fmt.Sprintf( - "vault-%s-%d-%d", - req.DisplayName, time.Now().Unix(), rand.Int31n(10000)) + // Generate our username and password. MySQL limits user to 16 characters + displayName := req.DisplayName + if len(displayName) > 10 { + displayName = displayName[:10] + } + username := fmt.Sprintf("%s-%s", displayName, generateUUID()) + if len(username) > 16 { + username = username[:16] + } password := generateUUID() // Get our connection diff --git a/builtin/logical/mysql/secret_creds.go b/builtin/logical/mysql/secret_creds.go index fc1bae7854..5bed159764 100644 --- a/builtin/logical/mysql/secret_creds.go +++ b/builtin/logical/mysql/secret_creds.go @@ -74,23 +74,17 @@ func (b *backend) secretCredsRevoke( // drop, because MySQL explicitly documents that open user connections // will not be closed. By revoking all grants, at least we ensure // that the open connection is useless. - stmt, err := tx.Prepare("REVOKE ALL PRIVILEGES, GRANT OPTION FROM ?") + _, err = tx.Exec("REVOKE ALL PRIVILEGES, GRANT OPTION FROM '" + username + "'@'%'") if err != nil { return nil, err } - if _, err := stmt.Exec(username); err != nil { - return nil, err - } // Drop this user. This only affects the next connection, which is // why we do the revoke initially. - stmt, err = db.Prepare("DROP USER ?") + _, err = tx.Exec("DROP USER '" + username + "'@'%'") if err != nil { return nil, err } - if _, err := stmt.Exec(username); err != nil { - return nil, err - } // Commit the transaction if err := tx.Commit(); err != nil {