Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[database/postgres] Vault generates credentials that do not work with AWS redshift #4052

Closed
myoung34 opened this issue Feb 28, 2018 · 10 comments
Closed

[database/postgres] Vault generates credentials that do not work with AWS redshift #4052

myoung34 opened this issue Feb 28, 2018 · 10 comments
Labels
bug Used to indicate a potential bug secret/database

Comments

@myoung34
Copy link

Environment:
0.9.4

  • Vault Version:
  • Operating System/Architecture:
    Ubuntu client, AWS Linux server, Redshift database

Vault Config File:

Startup Log Output:

Expected Behavior:
Generate valid users similar to currently working RDS PSql 9.6

Actual Behavior:
Generates users successfully but incorrectly returns username if contains capital letters.
Redshift is PSQL 8 and generates lower case usernames even if capital letters provided. Vault is unaware and attempts to create user 'Foo', successful, stores it as 'Foo' and tells the user that their username is 'Foo'. However redshift stores 'foo' so you cannot login directly with vault's response, and have to lower() the username.

Steps to Reproduce:

$ vault login -method=ldap username=Marc
Password (will be hidden): 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  redact
token_accessor         redact
token_duration         8h  
token_renewable        true
token_policies         [default developers ops]
token_meta_username    Marc

$ vault read database/creds/redshift-staging    
Key                Value    
---                -----    
lease_id           database/creds/redshift-staging/1a29f9a9-f1d5-23f5-e0e4-922439d5018f    
lease_duration     10h                                                                                         
lease_renewable    true                                                                                  
password           A1a-z55wuwx4946rqps7    
username           v-ldap-Mar-redshift-s53tttr16x44s007sr4s-1519840117

$ c_redshift                                                                                            

psql: FATAL:  password authentication failed for user "v-ldap-Mar-redshift-s53tttr16x44s007sr4s-1519840117"
FATAL:  password authentication failed for user "v-ldap-Mar-redshift-s53tttr16x44s007sr4s-1519840117"

$ c_redshift #with lowercase username
psql (9.6.7, server 8.0.2)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

warehouse=> \du 
                                                    List of roles
                      Role name                      |                 Attributes                  |    Member of    
-----------------------------------------------------+---------------------------------------------+------------------
 v-ldap-mar-redshift-s53tttr16x44s007sr4s-1519840117 | Password valid until 2018-03-01 03:48:37+00 | {admin_users}

warehouse=>
@andoriyu
Copy link

andoriyu commented Dec 5, 2018

Still broken :(

@andoriyu
Copy link

andoriyu commented Dec 5, 2018

@myoung34 did you ever solve this?

@myoung34
Copy link
Author

myoung34 commented Dec 5, 2018

I use a bash script to manually lower case

@andoriyu
Copy link

andoriyu commented Dec 6, 2018

@myoung34 behold the redshift plugin that works with database engine: https://github.com/andoriyu/vault-plugin-database-redshift

@walkafwalka
Copy link

Can confirm the problem lies within the username not being lower-cased.

@andoriyu
Copy link

andoriyu commented Aug 9, 2019 via email

@walkafwalka
Copy link

How did you create the plugin? Did you rebuild Vault from source or did you install it separately? I tried to use the binary created by go install but it did not work. Also, I do not see where you lower-cased the username in your code.

@andoriyu
Copy link

andoriyu commented Aug 10, 2019 via email

@andoriyu
Copy link

andoriyu commented Aug 10, 2019
edited
Loading

@walkafwalka here is the source for plugin I'm running: https://github.com/andoriyu/vault-plugin-database-redshift (i didn't commit my last change where I actually lower case it)

it's just copy of https://github.com/hashicorp/vault/tree/master/plugins/database/postgresql with a few things renamed and downcasing.

You also need to make sure you compiled your thing for platform vault is running on.

@catsby catsby added version/0.9.x secret/database bug Used to indicate a potential bug labels Nov 8, 2019
@briankassouf briankassouf mentioned this issue Dec 10, 2019
Closed
@tyrannosaurus-becks
Copy link
Contributor

Closed by #8299

@omerlh omerlh mentioned this issue Oct 27, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug secret/database
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Redshift database plugin support hashicorp/vault
5 participants
@catsby @andoriyu @myoung34 @tyrannosaurus-becks @walkafwalka