Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MySQL MultiUser lambda cannot rotate users with host different than default '%' #101

Open
ivan-georgiev opened this issue Apr 25, 2023 · 3 comments
Open

MySQL MultiUser lambda cannot rotate users with host different than default '%' #101

ivan-georgiev opened this issue Apr 25, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@ivan-georgiev
Copy link

ivan-georgiev commented Apr 25, 2023
edited
Loading

MySQL MultiUser lambda assumes that user host is '%'. It is true if user is created as follows:

  • CREATE USER appuser IDENTIFIED BY 'somesecret'
  • CREATE USER appuser@'%' IDENTIFIED BY 'somesecret'

If user is created with custom host, rotation lambda will fail on "SHOW GRANTS FOR %s" query.
Example how to create such user:

  • CREATE USER appuser@'10.%.%.%' IDENTIFIED BY 'somesecret'

Possible solutions:

  • Select all hosts for user provided by secret's username property and update password for each of them. Query must be something like "SELECT DISTINCT host FROM mysql.user WHERE User = %s". Typically scenario where someone creates single USER with multiple HOST value and different passwords is not expected , because this might cause issues on overlaps like '10.%.%.%' and '10.10.%.%'. This implementation is probably too complicated, unless in case different Host values are used as additional security layer and password is the same for database users with same User value.
  • Secret's metadata is extended with optional "hostname" property with default value of '%'. This seems fine, but the code is making check if current credentials are valid, so this value can be taken dynamically without complicating the structure of the secret. In both cases there is a limitation that rotation lambda must be in compatible subnet - if user is created as '10.10.%.%' and lambda runs from '10.20.x.x' function will fail.
  • Hostname is taken dynamically on step where current application credentials are validated, using the existing connection object. Query "SELECT CURRENT_USER()" will return application user in format @ like 'appuser'@'10.%.%.%'.
@ivan-georgiev ivan-georgiev mentioned this issue Apr 25, 2023
Open
@ivan-georgiev
Copy link
Author

This is example implementation of the third option mentioned in the issue: #102

@rstevens011
Copy link

Thank you for opening this issue - we are looking into it.

@ivan-georgiev ivan-georgiev mentioned this issue Jun 5, 2023
Closed
@ivan-georgiev
Copy link
Author

Example implementation to cover single mysql.user.User value, multiple mysql.user.Host values and same password for all:

#112

@ivan-georgiev ivan-georgiev reopened this Jun 5, 2023
@simonmarty simonmarty added bug Something isn't working and removed triage/needs-investigation labels Jun 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rstevens011 @ivan-georgiev @simonmarty