[MDEV-28276] Hashicorp: Document kv version=2 as mandatory and detect error if possible Created: 2022-04-10  Updated: 2023-11-27  Resolved: 2022-05-10

Status: Closed
Project: MariaDB Server
Component/s: Documentation, Encryption, Plugins
Affects Version/s: N/A
Fix Version/s: 10.9.1

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Julius Goryavsky
Resolution: Fixed Votes: 0
Labels: Cloned

Issue Links:
Blocks
Issue split
split to MDEV-28528 Hashicorp Vault plugin: documentation... Closed
PartOf
is part of MDEV-28494 Hashicorp plugin documentation Closed
Relates
relates to MDEV-28442 Hashicorp: refactoring to wrap static... Closed
relates to MDEV-19281 Vault Key Management Plugin Closed

 Description   

Hashicorp plugin can also work with key-value version=2. It is apparently intentional, in order to support key versioning, but it is not obvious, and the errors which occur upon an attempt to use version=1 are generic "Key not found", which is not helpful at all.

It would be good if the plugin was able to detect the incompatible format and throw a meaningful error.

In any case, this limitation (or requirement) must be documented very explicitly.

 Comments   
Comment by Elena Stepanova [ 2022-05-06 ]

The error is now detected and a meaningful error message is returned.
If the plugin is loaded upon startup, it's written in the log as

bb-10.9-MDEV-19281-v5 a47e08aa2b

 
2022-05-06 19:46:37 0 [ERROR] mysqld: hashicorp: Key-value storage must be version number 2 or later
 
2022-05-06 19:46:37 0 [ERROR] Plugin 'hashicorp_key_management' init function returned error.
 
2022-05-06 19:46:37 0 [ERROR] Plugin 'hashicorp_key_management' registration as a ENCRYPTION failed.

If the plugin is installed at runtime, the first error is returned to the client, while the second and third line from above are still written to the log.

ERROR 1105 (HY000): hashicorp: Key-value storage must be version number 2 or later
 
MariaDB [test]> show warnings;
 
+-------+------+----------------------------------------------------------------------------------------------+
 
| Level | Code | Message                                                                                      |
 
+-------+------+----------------------------------------------------------------------------------------------+
 
| Error | 1105 | hashicorp: Key-value storage must be version number 2 or later                               |
 
| Error | 1123 | Can't initialize function 'hashicorp_key_management'; Plugin initialization function failed. |
 
+-------+------+----------------------------------------------------------------------------------------------+
 
2 rows in set (0.000 sec)

I'm keeping this JIRA entry open for documentation purposes.

There is an effect which may in theory be unexpected if somebody bothers to pay attention to it.
Usually when a plugin fails to load on startup, and the startup options include options specific to this plugin, the whole server fails to start complaining about unknown options. It doesn't happen in this case though. While the plugin itself fails to load on startup, the server still starts, no complaints about hashicorp-X options.

However, I don't see it as a problem, in fact it allows to fix configuration and then install the plugin at runtime. Nor am I sure this particular point deserves a special mention in documentation, I'll leave it to documentation experts to decide.

Comment by Julius Goryavsky [ 2022-05-10 ]

Fixed, https://github.com/MariaDB/server/commit/3d1f765066b561f9552b55ed9ba41b66815786f7
Sub-task related to documentation moved to: https://jira.mariadb.org/browse/MDEV-28528

Generated at Thu Feb 08 09:59:27 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.