[#MDEV-29239] Hashicorp Plugin: Support proper authentication methods for vault

[MDEV-29239] Hashicorp Plugin: Support proper authentication methods for vault Created: 2022-08-03 Updated: 2023-07-05
Status:	Open
Project:	MariaDB Server
Component/s:	Encryption, Plugin - Hashicorp Key Management
Fix Version/s:	None

Type:

Task

Priority:

Minor

Reporter:

Simon Stier

Assignee:

Unassigned

Resolution:

Unresolved

Votes:

Labels:

None

Description

Hi,

currently the Hashicorp Plugin only supports tokens to authenticate requests against vault.
But in context of Hashicorp Vault a token should be considered as a short-time authentication methode - like a session for a website. By default configuration of vault a token expires after 30days.

Quoted from Vault documentation https://www.vaultproject.io/docs/concepts/auth

Before a client can interact with Vault, it must authenticate against an auth method. Upon authentication, a token is generated. This token is conceptually similar to a session ID on a website. The token may have attached policy, which is mapped at authentication time. This process is described in detail in the policies concepts documentation.

So proper authentication methods needs to be implemented to the Hashicorp Plugin.
Those are documented here: https://www.vaultproject.io/docs/auth
Quite popular for tooling is the AppRole Auth Method. In our case this method would fullfill all requirements. May this is good auth method to start.

Regards
Simon

Generated at Thu Feb 08 10:06:58 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-29239] Hashicorp Plugin: Support proper authentication methods for vault Created: 2022-08-03 Updated: 2023-07-05