Describe the bug
If the rental user is already logged in to MySQL, they can still work with the MySQL database after the expiration date.
To Reproduce
Steps to reproduce the behavior:
Run vault secrets enable database
Run vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" allowed_roles="my-role" username="vault" password="123456"
3.Run vault write database/roles/my-role db_name=my-mysql-database creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" default_ttl="20s" max_ttl="24h" Success! Data written to: database/roles/my-role.
Run vault read database/creds/my-role. Got the username and password.
Run mysql -hlocalhost -p<password> -u<username>.
Wait for 20s.
You can still do the query in the session established in step 5. For example Run use mysql; select user from user;
The user has been deleted, but the database can still be manipulated, which is not in line with Vault's design philosophy. It would be nice if you could delete the MySQL Session at the same time as you delete the lease data.
Expected behavior
A clear and concise description of what you expected to happen.
Environment:
Vault Server Version (retrieve with vault status):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.6.1
Storage Type raft
Cluster Name vault-cluster-5816945e
Cluster ID 4a229188-a454-aebd-e4a1-06c9c24930b8
HA Enabled true
HA Cluster https://127.0.0.1:8201
HA Mode active
Raft Committed Index 400
Raft Applied Index 400
Hi team, I have been exploring vault source code for a while for my work and would love to pick this issue up. Let me know if there are any pre requisites on how to get started with this ?
Describe the bug If the rental user is already logged in to MySQL, they can still work with the MySQL database after the expiration date.
To Reproduce Steps to reproduce the behavior:
vault secrets enable database
vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" allowed_roles="my-role" username="vault" password="123456"
3.Runvault write database/roles/my-role db_name=my-mysql-database creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" default_ttl="20s" max_ttl="24h" Success! Data written to: database/roles/my-role
.vault read database/creds/my-role
. Got the username and password.mysql -hlocalhost -p<password> -u<username>
.use mysql; select user from user;
The user has been deleted, but the database can still be manipulated, which is not in line with Vault's design philosophy. It would be nice if you could delete the MySQL Session at the same time as you delete the lease data.
Expected behavior A clear and concise description of what you expected to happen.
Environment:
vault status
):vault version
):Vault server configuration file(s):