Guru of Vault,
We are setting up the Database Secrets Engine for Mariadb in Vault to generate dynamic credentials. The password of generated user looks like the following:A1a-ialfWVgzEEGtR58q.
What is the exact password policy here? Is there any way we can set such policy explicitly? Thanks.
Thanks for the reply. I understand that the db engine doesn’t support password policies. But is there anyway I can see the policy it’s using internally. Is there any source code I can read?
Basically, we are facing certain auditing situation. The auditors want evidence that the temporary password generated by Vault DB engine will be at least 10 character and have both number and alphabet. It seems true from concrete example. But I cannot find any document for this in Vault. Thanks a lot.
jlj7
November 27, 2020, 8:38pm
4
I’m confused. There’s actually another line in the tutorial that @Wolfsrudel quoted (my emphasis):
Secrets engines with support for password policies:
Here’s the parameter supported by all database secret engines (including MySQL/MariaDB): https://www.vaultproject.io/api/secret/databases#password_policy
Could that not suit your purposes?
Expanded Password Policy Support : Custom password policies are now supported for all database engines.
## Next
BUG FIXES:
* core: Fix client.Clone() to include the address [[GH-10077](https://github.com/hashicorp/vault/pull/10077)]
## 1.6.0
### November 11th, 2020
NOTE:
Binaries for 32-bit macOS (i.e. the `darwin_386` build) will no longer be published. This target was dropped in the latest version of the Go compiler.
CHANGES:
* agent: Agent now properly returns a non-zero exit code on error, such as one due to template rendering failure. Using `error_on_missing_key` in the template config will cause agent to immediately exit on failure. In order to make agent properly exit due to continuous failure from template rendering errors, the old behavior of indefinitely restarting the template server is now changed to exit once the default retry attempt of 12 times (with exponential backoff) gets exhausted. [[GH-9670](https://github.com/hashicorp/vault/pull/9670)]
* token: Periodic tokens generated by auth methods will have the period value stored in its token entry. [[GH-7885](https://github.com/hashicorp/vault/pull/7885)]
* core: New telemetry metrics reporting mount table size and number of entries [[GH-10201](hhttps://github.com/hashicorp/vault/pull/10201)]
* go: Updated Go version to 1.15.4 [[GH-10366](https://github.com/hashicorp/vault/pull/10366)]
show original
Part of version 1.6, which wasn’t released at the time of my comment and so the documentation was at an older release without “All Databases”.
1 Like
jlj7
November 27, 2020, 10:22pm
6
Ah, that makes more sense. Didn’t imagine you’d missed it!
1 Like
“It is not as constant as change.”
1 Like
@alex-ren
Maybe this will help.
The code that generates the password. (10 to 20 characters)
return GenerateUsername( DisplayName(config.DisplayName, scp.DisplayNameLen), RoleName(config.RoleName, scp.RoleNameLen), Case(caseOp), Separator(scp.Separator), MaxLength(scp.UsernameLen), ) } func (scp *SQLCredentialsProducer) GeneratePassword() (string, error) { password, err := RandomAlphaNumeric(20, true) if err != nil { return "", err } return password, nil } func (scp *SQLCredentialsProducer) GenerateExpiration(ttl time.Time) (string, error) { return ttl.Format("2006-01-02 15:04:05-0700"), nil }
const ( reqStr = `A1a-` minStrLen = 10 ) // RandomAlphaNumeric returns a random string of characters [A-Za-z0-9-] // of the provided length. The string generated takes up to 4 characters // of space that are predefined and prepended to ensure password // character requirements. It also requires a min length of 10 characters. func RandomAlphaNumeric(length int, prependA1a bool) (string, error) { if length < minStrLen { return "", fmt.Errorf("minimum length of %d is required", minStrLen) } var prefix string if prependA1a { prefix = reqStr } randomStr, err := base62.Random(length - len(prefix))
Cheers!