mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-29 22:51:31 +01:00
Code Issues Projects Releases Wiki Activity

use both role name and token display name to form mysql username

Browse Source
This commit is contained in:
Nathan J. Mehl 2016-07-20 10:17:00 -07:00
parent 83635c16b6
commit e824f6040b
3 changed files with 55 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
builtin/logical/mysql/path_role_create.go
View File

@ -50,10 +50,21 @@ func (b *backend) pathRoleCreateRead(
lease = &configLease{} lease = &configLease{}
} }
// Generate our username and password. The username will be the name of // Generate our username and password. The username will be a
// the role, truncated to role.displaynameLength, appended to a uuid, // concatenation of:
// with the entire string truncated to role.usernameLength. //
displayName := name // - the role name, truncated to role.rolenameLength (default 4)
// - the token display name, truncated to role.displaynameLength (default 4)
// - a UUID
//
// the entire contactenated string is then truncated to role.usernameLength,
// which by default is 16 due to limitations in older but still-prevalant
// versions of MySQL.
roleName := name
if len(roleName) > role.RolenameLength {
roleName = roleName[:role.RolenameLength]
}
displayName := req.DisplayName
if len(displayName) > role.DisplaynameLength { if len(displayName) > role.DisplaynameLength {
displayName = displayName[:role.DisplaynameLength] displayName = displayName[:role.DisplaynameLength]
} }
@ -61,7 +72,7 @@ func (b *backend) pathRoleCreateRead(
if err != nil { if err != nil {
return nil, err return nil, err
} }
username := fmt.Sprintf("%s-%s", displayName, userUUID) username := fmt.Sprintf("%s-%s-%s", roleName, displayName, userUUID)
if len(username) > role.UsernameLength { if len(username) > role.UsernameLength {
username = username[:role.UsernameLength] username = username[:role.UsernameLength]
} }

39
builtin/logical/mysql/path_roles.go
View File

@ -41,10 +41,16 @@ func pathRoles(b *backend) *framework.Path {
Default: 16, Default: 16,
}, },
"rolename_length": &framework.FieldSchema{
Type: framework.TypeInt,
Description: "number of characters to truncate the rolename portion of generated mysql usernames to (default 4)",
Default: 4,
},
"displayname_length": &framework.FieldSchema{ "displayname_length": &framework.FieldSchema{
Type: framework.TypeInt, Type: framework.TypeInt,
Description: "number of characters to truncate the rolename portion of generated mysql usernames to (default 10)", Description: "number of characters to truncate the displayname portion of generated mysql usernames to (default 4)",
Default: 10, Default: 4,
}, },
}, },
@ -118,6 +124,7 @@ func (b *backend) pathRoleCreate(
name := data.Get("name").(string) name := data.Get("name").(string)
sql := data.Get("sql").(string) sql := data.Get("sql").(string)
username_length := data.Get("username_length").(int) username_length := data.Get("username_length").(int)
rolename_length := data.Get("rolename_length").(int)
displayname_length := data.Get("displayname_length").(int) displayname_length := data.Get("displayname_length").(int)
// Get our connection // Get our connection
@ -144,6 +151,7 @@ func (b *backend) pathRoleCreate(
SQL: sql, SQL: sql,
UsernameLength: username_length, UsernameLength: username_length,
DisplaynameLength: displayname_length, DisplaynameLength: displayname_length,
RolenameLength: rolename_length,
}) })
if err != nil { if err != nil {
return nil, err return nil, err
@ -158,6 +166,7 @@ type roleEntry struct {
SQL string `json:"sql"` SQL string `json:"sql"`
UsernameLength int `json:"username_length"` UsernameLength int `json:"username_length"`
DisplaynameLength int `json:"displayname_length"` DisplaynameLength int `json:"displayname_length"`
RolenameLength int `json:"rolename_length"`
} }
const pathRoleHelpSyn = ` const pathRoleHelpSyn = `
@ -184,15 +193,23 @@ Example of a decent SQL query to use:
Note the above user would be able to access anything in db1. Please see the MySQL Note the above user would be able to access anything in db1. Please see the MySQL
manual on the GRANT command to learn how to do more fine grained access. manual on the GRANT command to learn how to do more fine grained access.
The "displayname_length" parameter determines how many characters of the The "rolename_length" parameter determines how many characters of the role name
role name will be used in creating the generated mysql username; the will be used in creating the generated mysql username; the default is 4.
default is 10. Note that mysql versions prior to 5.8 have a 16 character
total limit on usernames. The "displayname_length" parameter determines how many characters of the token
display name will be used in creating the generated mysql username; the default
is 4.
The "username_length" parameter determines how many total characters the The "username_length" parameter determines how many total characters the
generated username (including both the displayname and the uuid portion) will generated username (including the role name, token display name and the uuid
be truncated to. Versions of MySQL prior to 5.7.8 are limited to 16 portion) will be truncated to. Versions of MySQL prior to 5.7.8 are limited to
characters total (see http://dev.mysql.com/doc/refman/5.7/en/user-names.html) 16 characters total (see
so that is the default; for versions >=5.7.8 it is safe to increase this http://dev.mysql.com/doc/refman/5.7/en/user-names.html) so that is the default;
to 32. for versions >=5.7.8 it is safe to increase this to 32.
For best readability in MySQL process lists, we recommend using MySQL 5.7.8 or
later, setting "username_length" to 32 and setting both "rolename_length" and
"displayname_length" to 8. However due the the prevalence of older versions of
MySQL in general deployment, the defaults are currently tuned for a
username_length of 16.
` `

15
website/source/docs/secrets/mysql/index.html.md
View File

@ -245,18 +245,25 @@ the default on versions prior to that.
values will be substituted. values will be substituted.
</li> </li>
<li> <li>
<span class="param">displayname_length</span> <span class="param">rolename_length</span>
<span class="param-flags">optional</span> <span class="param-flags">optional</span>
Determines how many characters from the role name will be used Determines how many characters from the role name will be used
to form the mysql username interpolated into the '{{name}}' field to form the mysql username interpolated into the '{{name}}' field
of the sql parameter. of the sql parameter. The default is 4.
</li>
<li>
<span class="param">displayname_length</span>
<span class="param-flags">optional</span>
Determines how many characters from the token display name will be used
to form the mysql username interpolated into the '{{name}}' field
of the sql parameter. The default is 4.
</li> </li>
<li> <li>
<span class="param">username_length</span> <span class="param">username_length</span>
<span class="param-flags">optional</span> <span class="param-flags">optional</span>
Determines the maximum total length in characters of the Determines the maximum total length in characters of the
mysql username interpolated into the '{{name}}' field mysql username interpolated into the '{{name}}' field
of the sql parameter. of the sql parameter. The default is 16.
</li> </li>
</ul> </ul>
</dd> </dd>
@ -389,7 +396,7 @@ the default on versions prior to that.
```javascript ```javascript
{ {
"data": { "data": {
"username": "rolename-aefa635a-18", "username": "user-role-aefa63",
"password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21" "password": "132ae3ef-5a64-7499-351e-bfe59f3a2a21"
} }
} }