Initial Implementation

[maxcoulombe]

Overview

• added initial elasticache redis implementation

Contributor Checklist

• Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
  • Doc will be added when the project is ready for release
• Add output for any tests not ran in CI to the PR description (eg, acceptance tests)

/usr/local/go/bin/go tool test2json -t /tmp/GoLand/___redisElastiCacheClient_test_go.test -test.v -test.paniconexit0 -test.run ^\QTest_generateUserId\E$
=== RUN   Test_generateUserId
=== RUN   Test_generateUserId/compliant_username
=== RUN   Test_generateUserId/short_username
=== RUN   Test_generateUserId/username_too_long
=== RUN   Test_generateUserId/username_with_non-alphanumeric_characters
=== RUN   Test_generateUserId/username_starting_with_a_number
--- PASS: Test_generateUserId (0.00s)
    --- PASS: Test_generateUserId/compliant_username (0.00s)
    --- PASS: Test_generateUserId/short_username (0.00s)
    --- PASS: Test_generateUserId/username_too_long (0.00s)
    --- PASS: Test_generateUserId/username_with_non-alphanumeric_characters (0.00s)
    --- PASS: Test_generateUserId/username_starting_with_a_number (0.00s)
PASS

• Backwards compatible

[austingebauer]

Looking good! Nice job on including the Terraform config for setting things up. I left a few suggestions/questions. It'd also be good to get the rest of the team added for review on this.

[austingebauer]

Nice! 👍

[austingebauer]

If we end up allowing our users to configure a username template, we should consider the potential for collision when using this function to derive the ID from the username. Perhaps there is a favorable alternative that we can come up with.

[maxcoulombe]

I was not completely sure about this strategy of generating a userid from the username tbh, I'm happy to discuss the pros and cons.

We could:

• Add constraints so userId == username at all times
• Generate random userId and use Elasticache's API to fetch and filter by username to get the userId over the network
• Do what we do here and have a deterministic way to generate a userId from the information given by Vault

[austingebauer]

I'm good with option 1 or 3. Option 1 seems workable, but we'd need to validate that constraints are met (esp. when username templates are introduced). For Option 3, it seems unlikely that a collision would occur. I suspect it could if the username template didn't provide sufficient entropy.

I'd say let's go with 3 for now. We can re-evaluate when username templates come in.

[fairclothjm]

I know this is just the initial implementation but have you considered any locking strategies?

[maxcoulombe]

Good question, I'm looking at it right now as part of the user group support.

AWS usually handle locking on their side. Whenever you add, modify or delete a resource on most of their APIs the resource changes status and you can only execute a subsequent request once the status goes back to "Active".

So most likely the locking strategy will be to rely on the AWS status but I still have to test and read more about this.

[maxcoulombe]

For people who already reviewed, this is a behaviour change that was introduced in between the updates.

We talked and decided that the format for the creation statements should be a list of strings instead of a string.
We also decided to handle the "ON" keyword for the users so they can give it or omit it at their preference. With this decision we also forbid the creation of disabled or "OFF" users as using vault to manage disabled users seems pointless.
Finally we decided that if no creation commands is given we'd create a general purpose read-only user as the default behavior.

[austingebauer]

SGTM. The tests helped me understand the behavior here. Nice job on those!

[austingebauer]

Nit: A small comment on what this function does would help future readers understand quickly. Details you shared in files#r954459565 would be perfect.

[fairclothjm]

would strings.Contains(accessString, "off") be sufficient? Or are the spaces required here because off could occur in another context?

[maxcoulombe]

It could occur in another context. For example, if an eshop business caches special offers in Redis using the key pattern:
offer-summer-sales
And they try to create a user that has access to only the cache entries for these special offers they'd try to configure the role with:
on ~offer-* +@read
which would block them and return an erroneous error message even if the rules are legitimate.

It really needs to be the keyword "off" all by itself.

Would it be more readable with a word-boundary regex? \boff\b

[fairclothjm]

Thanks for verifying! That makes sense -- assuming key patterns cannot contain spaces.

Yeah my initial thought was to use a regex. But that is just a nitpick. I am good with either one.

[austingebauer]

LGTM!