Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vault startup fails when using MSSQL as storage backend with pre-created database and schema #6328

Closed
kedarkale27 opened this issue Mar 4, 2019 · 8 comments

Comments

@kedarkale27
Copy link
Contributor

Problem statement:
Vault startup fails when using MSSQL as backend storage with pre-created database and schema, here vault is configured to start with database user who does not have schema creation access.

Steps to reproduce:
Execute following statements on the MSSQL database:

USE master
CREATE DATABASE [oper_db]
USE [oper_db]
CREATE LOGIN vault WITH PASSWORD = 'password'
CREATE USER vault FOR LOGIN vault
CREATE SCHEMA vault AUTHORIZATION vault
CREATE ROLE VaultUser AUTHORIZATION [vault]
GRANT SELECT, INSERT, UPDATE, DELETE, ALTER , EXECUTE
ON SCHEMA::vault TO VaultUser

CREATE TABLE [vault].[SECRETS] (
[PATH] VARCHAR(512) NOT NULL,
[VALUE] VARBINARY(MAX) NULL
)

Start vault with the following configuration.
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = "true"
}

storage "mssql" {
server = "#ServerIP"
username = "vault"
password = "password"
database = "oper_db"
table = "SECRETS"
appname = "vault"
schema = "vault"
}

Actual output seen on the console:
Error initializing storage of type mssql: failed to create mssql schema: mssql:
CREATE SCHEMA failed due to previous errors.

Expected output:
Vault should start successfully using the pre-created database and the schema.

@tyrannosaurus-becks
Copy link
Contributor

Thanks for opening this issue, @kedarkale27! Looks like the error is originating from here.

Is it possible for you to simply not pre-create the schema and to let the "dbo" one be used?

@kedarkale27
Copy link
Contributor Author

@tyrannosaurus-becks
We needed to create a separate user which will have access only to the vault schema and the tables inside it and not to the dbo schema.
As the password of the vault schema is getting exposed in the config file of Vault.
Hence we need a pre created schema different from dbo

We have also published a fix which solves this issue:
#6356

The code expects the sql commands to be executed in the same database session as of the "USE DATABASE" command,But for Go lang some how it is not working
We did a POC using these same sequence of commands in Java language and it worked correctly.

@tyrannosaurus-becks
Copy link
Contributor

Thanks! Happy to review it after the submitter agreement is signed.

@kedarkale27
Copy link
Contributor Author

@tyrannosaurus-becks I have already signed it yesterday.

@kedarkale27
Copy link
Contributor Author

@tyrannosaurus-becks Did you get a chance to review the code?

@kedarkale27
Copy link
Contributor Author

Hi @tyrannosaurus-becks the test case has been added to verify the updated code. Can you please check and approve ?

Thanks!

@sagitsofan
Copy link

sagitsofan commented Mar 24, 2019

Any new with this issue, i am experience exactly the same behavior as @kedarkale27 mention

@tyrannosaurus-becks
Copy link
Contributor

Please follow the linked PR, #6356.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants