[MDEV-30847] Hashicorp Plugin: Provide cache flush for key rotation - Jira

Details

Type: Task
Status: Stalled (View Workflow)
Priority: Major
Resolution: Unresolved
Fix Version/s: 10.11
Component/s: Plugin - Hashicorp Key Management
Labels:
None

Description

The Hashicorp Vault plugin currently supports key versioning provided by the Hashicorp Vault Server. However, there is no ways in the plugin to initiate a key rotation and reset the data stored in the cache. Because of this, it is really impossible to build scenarios in which key values change without restarting the server.

To address this shortcoming, we need to adds a new global variable that allows the user to initiate key rotation at the plugin level - similar to the key management plugin for AWS:

--[loose-]hashicorp-key-management-rotate-key=<identifier>|-1

Setting this variable to a certain value rotates corresponding key - all data associated with it is erased from the cache and will be re-requested from the Hashicorp Vault server the next time the system accesses this key. The user can also specify special value -1 (minus one) to rotate all keys. When specified value is zero, no key rotation is performed.

Attachments

Issue Links

split from

MDEV-29241 Hashicorp Plugin: Provide Key rotation

Stalled

Activity

Ascending order - Click to sort in descending order

Julius Goryavsky created issue - 2023-03-14 13:11

Julius Goryavsky made changes - 2023-03-14 13:11

Field	Original Value	New Value
Link		This issue split from MDEV-29241 [ MDEV-29241 ]

Julius Goryavsky made changes - 2023-03-14 14:29

Assignee

Julius Goryavsky [ sysprg ]

Julius Goryavsky made changes - 2023-03-14 14:29

Status

Open [ 1 ]

In Progress [ 3 ]

Sergei Golubchik added a comment - 2023-03-14 21:50

This looks like an overcomplication to me. It would be quite enough to be able to flush the whole cache, no need to do per per key. And to flush the whole cache one can simply set the cache_timeout to 0. Or may be, let's say, that setting cache_timeout to any value flushes the cache.

Or you can add an information_schema plugin to examine the cache, it'll show cached keys and versions (but not values, of course). Like, INFORMATION_SCHEMA.HASHICORP_KEY_MANAGEMENT_CACHE. And then it can support FLUSH command, like

FLUSH HASHICORP_KEY_MANAGEMENT_CACHE

Sergei Golubchik added a comment - 2023-03-14 21:50 This looks like an overcomplication to me. It would be quite enough to be able to flush the whole cache, no need to do per per key. And to flush the whole cache one can simply set the cache_timeout to 0. Or may be, let's say, that setting cache_timeout to any value flushes the cache. Or you can add an information_schema plugin to examine the cache, it'll show cached keys and versions (but not values, of course). Like, INFORMATION_SCHEMA.HASHICORP_KEY_MANAGEMENT_CACHE . And then it can support FLUSH command, like FLUSH HASHICORP_KEY_MANAGEMENT_CACHE

Sergei Golubchik made changes - 2023-03-27 12:27

Fix Version/s		10.9 [ 26905 ]
Fix Version/s		10.10 [ 27530 ]
Fix Version/s		10.11 [ 27614 ]
Fix Version/s	10.9.6 [ 28520 ]

Julien Fritsch made changes - 2023-05-15 10:23

Link

This issue blocks TODO-3935 [ TODO-3935 ]

Julien Fritsch made changes - 2023-05-15 10:23

Labels

Cloned

Ralf Gebhardt made changes - 2023-07-05 10:14

Labels

Cloned

Julius Goryavsky made changes - 2023-10-12 14:05

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Julien Fritsch made changes - 2023-11-28 10:22

Fix Version/s

10.9 [ 26905 ]

Julien Fritsch made changes - 2023-11-28 10:31

Fix Version/s

10.10 [ 27530 ]

People

Assignee:: Julius Goryavsky

Reporter:: Julius Goryavsky

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023-03-14 13:11

Updated:: 2023-11-28 10:31

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server