error: Username used null

[msteijaert]

I have tried to use dbeaver-vault to connect to an Oracle database, but I got an error message:

Unexpected driver error occurred while connecting to the database
  NullPointerException
  java.lang.NullPointerException

When I checked the logs, I noticed this message: "Username used null", which is written by this line:

log.info("Username used " + value.getResponse().getData().getUsername());
( https://github.com/premium-minds/dbeaver-vault/blob/master/plugin/src/com/premiumminds/dbeaver/vault/VaultAuthModel.java#L112)

From the above I understand that the code looks for the field response['data']['username'], while the actual Vault secret json has an additional 'data' level: response['data']['data']['username']. For example:

 {"request_id":"bccc8aba-8b01-45f5-dbf4-3c7c8f455c45",
  "lease_id":"",
  "renewable":false,
  "lease_duration":0,
  "data":{"data":{"host":"myhost.com","password":"mySecretPassword","port":"1521","sid":"XYZ","username":"myusername"},
  "metadata":{"created_time":"2024-01-18T11:31:15.945012314Z","custom_metadata":null,"deletion_time":"","destroyed":false,"version":2}},
  "wrap_info":null,"warnings":null,"auth":null}

[froque]

That JSON response is very different from what I get.

From running https://github.com/premium-minds/dbeaver-vault/blob/master/docker-postgres-vault-example.sh

❯ vault read -format=json database/creds/readonly              
{
  "request_id": "d0c40e3f-3f45-dc06-323c-e119c13f6de2",
  "lease_id": "database/creds/readonly/XD6GcA3ye59puBDJ1K7KEIRs",
  "lease_duration": 3600,
  "renewable": true,
  "data": {
    "password": "x6x1Ls-KUMZ9VO39fJVO",
    "username": "v-token-readonly-P8mmWM9FzPHtsr0IRv4s-1705657418"
  },
  "warnings": null
}

❯ vault -version                                  
Vault v1.15.4 (9b61934559ba31150860e618cf18e816cbddc630), built 2023-12-04T17:45:28Z

[msteijaert]

It looks like our Vault instance is using KV secrets version 2, while yours is using version 1. (Compare https://hvac.readthedocs.io/en/stable/overview.html#kv-secrets-engine-version-2 with https://hvac.readthedocs.io/en/stable/overview.html#kv-secrets-engine-version-1). This also explains why I had to add the "secret/data/" prefix to the path in the Secret field to avoid a ClosedChannelException.

It looks like version 2 is now the default. Would it be possible to add support for version 2 as well?

[froque]

I have tried to use dbeaver-vault to connect to an Oracle database

I missed this. This plugin has only been tested for Postgresql

[msteijaert]

I have tried to use dbeaver-vault to connect to an Oracle database

I missed this. This plugin has only been tested for Postgresql

I have the impression that that should not make a difference. Both for Postgresql and Oracle there are username and password fields that can be filled with values that are extracted from Vault.

[froque]

You are talking about the KV secrets engine, but this is plugin is targeting the database secrets engine.

Supporting the KV secrets engine would be problematic due to the lack of schema for the value in each key (someone could use user, others use username, etc)

Any reason for not using the database secrets engine ? It does support Oracle

[froque]

For the hvac python library the relevant section would be https://hvac.readthedocs.io/en/stable/usage/secrets_engines/database.html#enable-database-secrets-engine

[msteijaert]

@froque , thanks for the explanation. I was not aware of the existence of the database secrets engine. Unfortunately that is not enable for our Vault instance (there is nothing I can change about that). So the only way to get this to work would be using the KV secrets engine and a modified version of your plugin.