[MDEV-28277] Hashicorp: Document the mandatory presence of /v1/ in URL, detect error if possible Created: 2022-04-10  Updated: 2023-11-27  Resolved: 2022-05-10

Status: Closed
Project: MariaDB Server
Component/s: Configuration, Documentation, Encryption, Plugins
Affects Version/s: N/A
Fix Version/s: 10.9.1

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Julius Goryavsky
Resolution: Fixed Votes: 0
Labels: Cloned

Issue Links:
Blocks
Issue split
split to MDEV-28528 Hashicorp Vault plugin: documentation... Closed
PartOf
is part of MDEV-28494 Hashicorp plugin documentation Closed
Relates
relates to MDEV-28442 Hashicorp: refactoring to wrap static... Closed
relates to MDEV-19281 Vault Key Management Plugin Closed

 Description   

According to comments in the cnf file hashicorp_key_management.cnf, hashicorp-key-management-vault-url must always contain /v1/:

  1. HTTP[s] URL that is used to connect to the Hashicorp Vault server.
  2. It must include the name of the scheme ("https://" for a secure
  3. connection) and, according to the API rules for storages of the
  4. key-value type in Hashicorp Vault, after the server address, the
  5. path must begin with the "/v1/" string (as prefix), for example:
  6. "https://127.0.0.1:8200/v1/my_secrets"

It is good that the cnf template mentions it, but it should also be mentioned in the documentation.

Moreover, if it's cut in stone, maybe the plugin could include it into the parameter verification and throw an error if the URL doesn't contain it.

 Comments   
Comment by Elena Stepanova [ 2022-05-06 ]

The error is now detected and a [somewhat] meaningful error message is returned.
If the plugin is loaded upon startup, it's written in the log as

bb-10.9-MDEV-19281-v5 a47e08aa2b

 
2022-05-06 19:52:26 0 [ERROR] mysqld: hashicorp: According to the Hashicorp Vault API rules, the path inside the URL must start with the "/v1/" prefix, while the supplied URL value is: "http://127.0.0.1:8200/vbug/"
 
2022-05-06 19:52:26 0 [ERROR] Plugin 'hashicorp_key_management' init function returned error.
 
2022-05-06 19:52:26 0 [ERROR] Plugin 'hashicorp_key_management' registration as a ENCRYPTION failed.

At runtime it's

MariaDB [test]> install soname 'hashicorp_key_management';
 
ERROR 1105 (HY000): hashicorp: According to the Hashicorp Vault API rules, the path inside the URL must start with the "/v1/" prefix, while the supplied URL value is: "http://127.0.0.1:8200/vbug/"
 
MariaDB [test]> show warnings;
 
+-------+------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 
| Level | Code | Message                                                                                                                                                                          |
 
+-------+------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 
| Error | 1105 | hashicorp: According to the Hashicorp Vault API rules, the path inside the URL must start with the "/v1/" prefix, while the supplied URL value is: "http://127.0.0.1:8200/vbug/" |
 
| Error | 1123 | Can't initialize function 'hashicorp_key_management'; Plugin initialization function failed.                                                                                     |
 
+-------+------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 
2 rows in set (0.000 sec)

I'm keeping this JIRA entry open for documentation purposes.

Comment by Julius Goryavsky [ 2022-05-10 ]

Fixed, https://github.com/MariaDB/server/commit/1c22a9d8aebc91c37b90730fc737df44f780e90e
Subtask related to documentation moved to: https://jira.mariadb.org/browse/MDEV-28528

Generated at Thu Feb 08 09:59:28 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.