search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.38k stars 4.24k forks source link

influxdb-database-plugin should not support client certificates #7118

Open mgaffney opened 5 years ago

mgaffney commented 5 years ago

InfluxDB does not support client certificates but the influxdb-database-plugin can be configured to use client certificates. This is confusing to Vault users and can lead to unexpected behavior (see #6405).

It is unknown if InfluxDB will add support for client certificates. (See influxdata/influxdb#9421 and influxdata/influxdb#9698 for more information).

The influxdb-database-plugin should be updated to remove support for client certificates to avoid confusion.

aphorise commented 2 years ago

Hey @mgaffney is still still relevant in light of the deprectation notces that exist on all mount docs - eg:

Note: This engine can use external X.509 certificates as part of TLS or signature validation. Verifying signatures against X.509 certificates that use SHA-1 is deprecated and will no longer be usable without a workaround starting in Vault 1.12. See the deprecation FAQ for more information.

I am curious what's outstanding or next here.

mgaffney commented 2 years ago

Yes, I think this issue is still relevant because InfluxDB has still not added support for client certificates and the influxdb-database-plugin can still be configured to use a client certificate. I haven't run any tests to see if it still results in an error but I don't see anything in the code that would prevent it.

Also, in the description of the issue above, I said:

It is unknown if InfluxDB will add support for client certificates.

This is still true, however, it doesn't look like InfluxDB will add support for client certificates anytime soon since influxdata/influxdb#9421 and influxdata/influxdb#9698 were both closed with nothing to replace them.