Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
N/A
Description
According to comments in the cnf file hashicorp_key_management.cnf, hashicorp-key-management-vault-url must always contain /v1/:
- HTTP[s] URL that is used to connect to the Hashicorp Vault server.
- It must include the name of the scheme ("https://" for a secure
- connection) and, according to the API rules for storages of the
- key-value type in Hashicorp Vault, after the server address, the
- path must begin with the "/v1/" string (as prefix), for example:
- "https://127.0.0.1:8200/v1/my_secrets"
It is good that the cnf template mentions it, but it should also be mentioned in the documentation.
Moreover, if it's cut in stone, maybe the plugin could include it into the parameter verification and throw an error if the URL doesn't contain it.
Attachments
Issue Links
- is part of
-
MDEV-28494 Hashicorp plugin documentation
-
- Closed
-
- relates to
-
MDEV-28442 Hashicorp: refactoring to wrap static variables into a class
-
- Closed
-
-
MDEV-19281 Vault Key Management Plugin
-
- Closed
-
- split to
-
MDEV-28528 Hashicorp Vault plugin: documentation update
-
- Closed
-
The error is now detected and a [somewhat] meaningful error message is returned.
If the plugin is loaded upon startup, it's written in the log as
bb-10.9-MDEV-19281-v5 a47e08aa2b
2022-05-06 19:52:26 0 [ERROR] mysqld: hashicorp: According to the Hashicorp Vault API rules, the path inside the URL must start with the "/v1/" prefix, while the supplied URL value is: "http://127.0.0.1:8200/vbug/"
2022-05-06 19:52:26 0 [ERROR] Plugin 'hashicorp_key_management' init function returned error.
2022-05-06 19:52:26 0 [ERROR] Plugin 'hashicorp_key_management' registration as a ENCRYPTION failed.
At runtime it's
MariaDB [test]> show warnings;
I'm keeping this JIRA entry open for documentation purposes.