-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix MSSQL compatibility with Azure SQL #11555
Fix MSSQL compatibility with Azure SQL #11555
Conversation
Removes a query from the MSSQL plugin that checks that a Server Login exists before attempting to change its password. This behavior is incompatible with SQL Server instances that rely on contained users and that do not allow cross-database queries, as is the case with Azure SQL Databases. The deletion of this query does not materially impact the behavior, as attempting to change the password for an inexistent login (on a regular SQL Server instance) will result in an error message that states that the user either does not exist (or the Vault user does not have permission to change its password). If the Vault user is a contained user, then the "root rotation statements" parameter can be modified to alter the password of a `user` rather than a `login` (`ALTER USER vault WITH PASSWORD ...`). Fixes hashicorp#10806
@austingebauer Any chance you could get this reviewed/merged? (We're still on v1.4.7, which has a couple of vulnerabilities, because later versions can't currently handle rotation of MSSQL contained users' credentials. It corrects a change introduced with #9062) |
Hi, @g-psantos. Thanks for making me aware of this issue and opening a PR. I will be having a look at this. |
Hi @g-psantos, Thanks for opening the issue and the PR! A PR to include support for contained DBs in root rotation and lease revocation was recently put up here: #12839 This PR includes support for contained DBs in the MSSQL plugin, and based on a |
Fixes #10806
Removes a query from the MSSQL plugin that checks that a Server Login exists before attempting to change its password. This behavior is incompatible with SQL Server instances that rely on contained users and that do not allow cross-database queries, as is the case with Azure SQL Databases.
Additionally, some other engines (such as MySQL) do not check that a user exists before attempting to change its password, which suggests that this behavior is not essential.
The deletion of this query does not materially impact the behavior, as attempting to change the password for a nonexistent login (on a regular SQL Server instance) will result in an error message:
If the Vault user is a contained user, then the "root rotation statements" parameter can be modified to alter the password of a
user
rather than alogin
: