Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MySql MultiUser RDS credential rotation causes problematic permission grants #85

Open
cpr-chas opened this issue Jun 14, 2022 · 1 comment
Open

MySql MultiUser RDS credential rotation causes problematic permission grants #85

cpr-chas opened this issue Jun 14, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@cpr-chas
Copy link

cpr-chas commented Jun 14, 2022
edited
Loading

Commit edd300a ("Supports MySQL/Maria grants containing percent symbols.") added a replacement of '%' with '%%' because '%' is an escape character for python format strings. I don't know if something changed in the libraries used or if this is only necessary in certain situations, but it causes problems with the permission grants in the simplest case. This is the specific line that appears to be the problem:
new_grant_escaped = new_grant.replace('%','%%') # % is a special character in Python format strings.

We are using this in a lambda with Python 3.7.
We started with a user 'myuser', with a grant:
GRANT SELECT, INSERT, UPDATE, DELETE, LOCK TABLES, EXECUTE, SHOW VIEW ON %.* TO 'myuser'@'%'

Each time the key rotation is run, we end up with a grant doubling the wildcard as the grant gets copied back and forth between the base account and the clone account. EG:
GRANT SELECT, INSERT, UPDATE, DELETE, LOCK TABLES, EXECUTE, SHOW VIEW ON %%.* TO 'myuser_clone'@'%'

After several automatic rotations, we're up to 64 on the main account and 128 on the clone:
GRANT SELECT, INSERT, UPDATE, DELETE, LOCK TABLES, EXECUTE, SHOW VIEW ON %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.* TO 'myuser'@'%'
GRANT SELECT, INSERT, UPDATE, DELETE, LOCK TABLES, EXECUTE, SHOW VIEW ON %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.* TO 'myuser_clone'@'%'

I expect at some point we'll run up against a character limit and rotation will fail.

I can change the lambda locally, but if we ever take a further update from the template, that might get lost. Additionally, I expect other customers are likely to run into this problem if they restrict permissions in this way.

As a workaround, I can grant the privileges separately to each schema in the DB, but that's a little bit painful and error prone if we ever add an additional schema.
@goyalya
Copy link

goyalya commented Oct 6, 2022

Thanks for reaching out with the request. We are looking into it.

@simonmarty simonmarty added bug Something isn't working and removed triage/needs-investigation labels Jun 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simonmarty @cpr-chas @goyalya