Guru of Vault,
We are setting up the Database Secrets Engine for Mariadb in Vault to generate dynamic credentials. The password of generated user looks like the following:
A1a-ialfWVgzEEGtR58q
.
What is the exact password policy here? Is there any way we can set such policy explicitly? Thanks.
Thanks for the reply. I understand that the db engine doesn’t support password policies. But is there anyway I can see the policy it’s using internally. Is there any source code I can read?
Basically, we are facing certain auditing situation. The auditors want evidence that the temporary password generated by Vault DB engine will be at least 10 character and have both number and alphabet. It seems true from concrete example. But I cannot find any document for this in Vault. Thanks a lot.
jlj7
November 27, 2020, 8:38pm
4
I’m confused. There’s actually another line in the tutorial that @Wolfsrudel quoted (my emphasis):
Secrets engines with support for password policies:
Here’s the parameter supported by all database secret engines (including MySQL/MariaDB): Database - Secrets Engines - HTTP API | Vault | HashiCorp Developer
Could that not suit your purposes?
Expanded Password Policy Support : Custom password policies are now supported for all database engines.
## Previous versions
- [v1.0.0 - v1.9.10](CHANGELOG-pre-v1.10.md)
- [v0.11.6 and earlier](CHANGELOG-v0.md)
## 1.15.2
### November 09, 2023
SECURITY:
* core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [[HSEC-2023-33](https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926)]
CHANGES:
* auth/approle: Normalized error response messages when invalid credentials are provided [[GH-23786](https://github.com/hashicorp/vault/pull/23786)]
* secrets/mongodbatlas: Update plugin to v0.10.2 [[GH-23849](https://github.com/hashicorp/vault/pull/23849)]
FEATURES:
* cli/snapshot: Add CLI tool to inspect Vault snapshots [[GH-23457](https://github.com/hashicorp/vault/pull/23457)]
IMPROVEMENTS:
This file has been truncated. show original
Part of version 1.6, which wasn’t released at the time of my comment and so the documentation was at an older release without “All Databases”.
1 Like
jlj7
November 27, 2020, 10:22pm
6
Ah, that makes more sense. Didn’t imagine you’d missed it! Cheers!
1 Like
“It is not as constant as change.”
1 Like
@alex-ren
Maybe this will help.
The code that generates the password. (10 to 20 characters)
return GenerateUsername( DisplayName(config.DisplayName, scp.DisplayNameLen), RoleName(config.RoleName, scp.RoleNameLen), Case(caseOp), Separator(scp.Separator), MaxLength(scp.UsernameLen), ) } func (scp *SQLCredentialsProducer) GeneratePassword() (string, error) { password, err := RandomAlphaNumeric(20, true) if err != nil { return "", err } return password, nil } func (scp *SQLCredentialsProducer) GenerateExpiration(ttl time.Time) (string, error) { return ttl.Format("2006-01-02 15:04:05-0700"), nil }
const ( reqStr = `A1a-` minStrLen = 10 ) // RandomAlphaNumeric returns a random string of characters [A-Za-z0-9-] // of the provided length. The string generated takes up to 4 characters // of space that are predefined and prepended to ensure password // character requirements. It also requires a min length of 10 characters. func RandomAlphaNumeric(length int, prependA1a bool) (string, error) { if length < minStrLen { return "", fmt.Errorf("minimum length of %d is required", minStrLen) } var prefix string if prependA1a { prefix = reqStr } randomStr, err := base62.Random(length - len(prefix))