Support display_name in mysql db plugin query map

[bigman3]

Is your feature request related to a problem? Please describe.
Map mysql generated username to an entity display name. As Far as I understand this mapping is not available anywhere, and no way to correlate randomly generated user name to the entity.

Describe the solution you'd like
Add display name as a parameter available for prepared statement.
With this supported, we would be able to manage a mapping/metadata table outside of Vault, by adding creation statement using the displayName parameter.

Append displayName derived from usernameConfig to the queryMap in mysql.go plugin implementation:
queryMap := map[string]string{ "name": username, "password": password, "expiration": expirationStr, }

Describe alternatives you've considered
External wrapping api, which will forward database/creds/role request, and also manage the mapping.

[pcman312]

Hi @bigman3 ! If I understand your request correctly, you would like to apply the DisplayName provided via Vault somewhere within the creation statements. The display name comes from the Vault token and is usually something like token, token-displayname, userpass, etc. Is this the data you would like to see, or do you want the name of the role created in the database engine?

In Vault 1.7 (coming soon) we are introducing the idea of username_template to some* of our secret engines. This will give the ability to fully customize how a username is generated prior to passing that username to the appropriate statements run in the database. Each engine will default to the current behavior, but this will allow for customization if that default does not suit their needs.

This will give users the ability to specify all aspects of a username, including where (or if) the DisplayName and RoleName is used. This was designed to give users more control over matching a dynamic username to a particular group/person/entity within their organization, however it also can also be used to match unusual requirements for usernames that are not handled by the default username generation.

There will be docs available through https://www.vaultproject.io once 1.7 is released will describe this in more detail but I wanted to give you a heads up for this new feature coming soon!

Does this help solve your problem? If not, please let us know.

_{* - engines supported in 1.7: PostgreSQL, MSSQL, MySQL, MongoDB (not MongoDB Atlas), Cassandra, Oracle, Couchbase, and OpenLDAP}