add mssql physical backend #2546
Conversation
There was a problem hiding this comment.
Thanks for the contribution! Overall this look pretty good. There are just a few things relating to required arguments and handling of schemas.
Also, can you please add documentation for configuring this plugin. You can add the documentation here website/source/docs/configuration/storage
physical/mssql.go
Outdated
| return nil, fmt.Errorf("failed to create mssql database: %v", err) | ||
| } | ||
|
|
||
| dbTable := database + ".." + table |
There was a problem hiding this comment.
This is assuming the default schema, presumably dbo. Can you please add a configuration option for the schema with a default value of dbo?
There was a problem hiding this comment.
Ok, I add schema option.
There was a problem hiding this comment.
This statement will no longer be necessary if you remove the conditional schema logic.
physical/mssql.go
Outdated
| connectionString := "server=" + server + ";app name" + appname + ";connection timeout=" + connectionTimeout + ";log=" + logLevel | ||
| if username != "" { | ||
| connectionString += ";user id=" + username | ||
| } |
There was a problem hiding this comment.
I can't think of case where there is no username or password. I think it should fail if this is not provided.
There was a problem hiding this comment.
Without username and password, driver is using SSO.
From driver documentation:
"user id" - enter the SQL Server Authentication user id or the Windows Authentication user id in the DOMAIN\User format. On Windows, if user id is empty or missing Single-Sign-On is used.
There was a problem hiding this comment.
I think the most likely usage would be providing a username and password to this backend. Are you expecting to use the Single Sign-On features of the driver? I would be curious to see how this works in practice.
There was a problem hiding this comment.
You can provide username and password. SSO is only option of mssql go driver so I added it as a feature to this provider.
Yes, In our environment we use sso. For example when I am logged to my workstation I can connect to mssql database on different machine. (It's works same as Windows Auth in this example)
There was a problem hiding this comment.
After some further internal discussions, we believe this is fine. Even though SSO makes a lot of sense in a user workstation context it could also work in this context. This is especially true since the same person configuring the Vault installation will also be in charge of the physical backend configuration.
| } | ||
|
|
||
| if password != "" { | ||
| connectionString += ";password=" + password |
There was a problem hiding this comment.
See above reply ;)
| return nil, fmt.Errorf("failed to connect to mssql: %v", err) | ||
| } | ||
|
|
||
| if _, err := db.Exec("IF NOT EXISTS(SELECT * FROM sys.databases WHERE name = '" + database + "') CREATE DATABASE " + database); err != nil { |
There was a problem hiding this comment.
I think this should work without specifying the database. To be more explicit, it may make sense to add the master database to this query.
There was a problem hiding this comment.
I you don't include database name, default name 'Vault' will be used. It's working same as mysql and postgres provider.
There was a problem hiding this comment.
I thought that sys.databases was a special table that resided in master but I don't actually think that is the case, so I think this is fine.
physical/mssql.go
Outdated
| } | ||
|
|
||
| dbTable := database + ".." + table | ||
| createQuery := "IF NOT EXISTS(SELECT 1 FROM " + database + ".INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE' AND TABLE_NAME='" + table + "') CREATE TABLE " + dbTable + |
There was a problem hiding this comment.
Based on adding schema above, TABLE_SCHEMA will need to be added to the criteria for this query.
There was a problem hiding this comment.
This statement will no longer be necessary if you remove the conditional schema logic.
physical/mssql.go
Outdated
| schema = "dbo" | ||
| } | ||
|
|
||
| connectionString := "server=" + server + ";app name" + appname + ";connection timeout=" + connectionTimeout + ";log=" + logLevel |
There was a problem hiding this comment.
There is a missing = after app name. Would you mind converting this to a fmt.Sprintf which may make it easier to spot these issues?
There was a problem hiding this comment.
ok changed.
physical/mssql.go
Outdated
| createQuery := "IF NOT EXISTS(SELECT 1 FROM " + database + ".INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE' AND TABLE_NAME='" + table + "') CREATE TABLE " + dbTable + | ||
| " (Path VARCHAR(512) PRIMARY KEY, Value VARBINARY(MAX))" | ||
|
|
||
| if schema != "dbo" { |
There was a problem hiding this comment.
I'm not sure this guard is necessary. It is likely the dbo schema is going to be available but it probably still makes sense to do the same check for dbo.
There was a problem hiding this comment.
I must check if user want different schema than dbo and create it when it does not exists. You can't drop schema dbo and it always exists. MSDN
There was a problem hiding this comment.
Thanks for the docs. I thought dbo was just a default schema and could itself be dropped.
|
|
||
| ## `mssql` Parameters | ||
|
|
||
| - `server` `(string: "localhost")` – host or host\instance. |
There was a problem hiding this comment.
Can you update this to <required> instead of "localhost"?
|
|
||
| - `server` `(string: "localhost")` – host or host\instance. | ||
|
|
||
| - `username` `(string: "user1234")` - enter the SQL Server Authentication user id or |
There was a problem hiding this comment.
Can you update this to the default value of ""?
| the Windows Authentication user id in the DOMAIN\User format. | ||
| On Windows, if user id is empty or missing Single-Sign-On is used. | ||
|
|
||
| - `password` `(string: "secret123!")` – specifies the MSSQL password to connect to |
There was a problem hiding this comment.
Can you also update this to the default value of ""?
| - `schema` `(string: "dbo")` – Specifies the name of the schema. If the schema | ||
| does not exist, Vault will attempt to create it. | ||
|
|
||
| - `appname` `(string: "vault")` – the application name. |
There was a problem hiding this comment.
s/vault/Vault/ to match the default in code.
|
|
||
| ### Custom Database, Table and Schema | ||
|
|
||
| This example shows configuring the MySQL backend to use a custom database and |
physical/mssql.go
Outdated
| connectionString := "server=" + server + ";app name" + appname + ";connection timeout=" + connectionTimeout + ";log=" + logLevel | ||
| if username != "" { | ||
| connectionString += ";user id=" + username | ||
| } |
There was a problem hiding this comment.
After some further internal discussions, we believe this is fine. Even though SSO makes a lot of sense in a user workstation context it could also work in this context. This is especially true since the same person configuring the Vault installation will also be in charge of the physical backend configuration.
physical/mssql.go
Outdated
| } | ||
|
|
||
| dbTable := database + ".." + table | ||
| createQuery := "IF NOT EXISTS(SELECT 1 FROM " + database + ".INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE' AND TABLE_NAME='" + table + "') CREATE TABLE " + dbTable + |
There was a problem hiding this comment.
This statement will no longer be necessary if you remove the conditional schema logic.
physical/mssql.go
Outdated
| return nil, fmt.Errorf("failed to create mssql database: %v", err) | ||
| } | ||
|
|
||
| dbTable := database + ".." + table |
There was a problem hiding this comment.
This statement will no longer be necessary if you remove the conditional schema logic.
No description provided.