Use case: database credential rotation

Now that we know how to create custom workflow step script plugin in the hello world tutorial, let’s walk through a real world use case: rotation database credentials. Credential rotation has traditionally been a complicated, thankless administrative chore. It’s the type of work that might be labeled toil and exactly the kind of work that Rundeck has been designed to streamline.

The end result of this tutorial as well as a Docker environment to run it in can be found on GitHub

The problem

What’s difficult about database credential rotation?

• It involves multiple steps across multiple nodes in your production cluster.
• It’s necessary to handle secrets in the form of the new credentials you’re creating, plus credentials of a super user that can create the new login.
• Manually run steps are error prone and mistakes can potentially cause a site-wide outage if your app can’t authenticate with the database anymore.

Addressing the problem with Rundeck

By creating a custom script plugin to interact with the database, its downstream clients and the Rundeck Key Storage, we can automate the creation and deployment of the new credentials as well as safely handle the decomissioning of the old credentials.

Secure secrets handling

Since the Key Storage stores the credentials, the administrator triggering the credential rotation doesn’t ever need to see the actual credentials of the database super user or the newly generated database user.

Critical logic is tested ahead of time

The logic for creating the database login is encapsulated in a script that has been tested prior to actually needing to rotate the credentials, so we avoid putting a human in the stressful, error-prone situation of having to figure out correct syntax to run on a live system on the fly.

Similarly, the app restart logic is encapsulated as well, with health check logic as an extra safety measure to halt the process in case something has gone wrong before applying the change to the whole cluster.

Ease of use encourages proactive security

Lastly, by creating a single button solution to rotate database credentials, we’re much more likely to rotate our credentials on a regular basis to mitigate potential security risks, rather than only after a security incident has already occured.

Automating credential rotation with Rundeck

In order to automate the credential rotation, we need to automate the individual steps, then orchestrate the steps in a single process. The steps we want to automate are:

• Creating a new database login
• Updating the application configuration to use the new database login
• Restarting the applications to apply the configuration change
• Deleting the old database login

Restarting the apps

We can start with restarting the applications because that’s something we can test on its own before proceeding. We’ll create a new plugin metadata file rundeck-plugins/db-creds/plugin.yaml:

name: Database credential management
version: 1
rundeckPluginVersion: 1.2
author: Carlo Cabanilla
date: 2018-07-20
url: http://rundeck.org/
providers:
  - name: RestartApp
    service: RemoteScriptNodeStep
    plugin-type: script
    script-interpreter: /bin/bash
    script-file: restart.sh
    script-args: ${config.process} ${config.health_url}
    config:
      - type: String
        name: process
        title: process
        description: the process to restart
      - type: String
        name: health_url
        title: health_url
        description: the http endpoint to poll to check that it's healthy
        default: http://localhost:8080

Our restart script takes 2 parameters: the name of the process on the node, and a url that we can poll to check that it’s healthy. The implementation of the restart script is specific to the Docker playground environment so we’ll leave out the details, but from a high level it:

• Kills the process and lets the supervising parent process restart it
• Polls the health check url until it returns healthy or times out
• Exits with an error code if it times out to let the calling process know whether to continue or not with downstream steps

In order to be able to run the restart, we create a job that specifies the nodes to run it on and the input parameters. rundeck-project/jobs/RestartApp.yaml:

- name: RestartApp
  uuid: RestartApp
  nodefilters:
    filter: web_.*
  sequence:
    commands:
    - configuration:
        health_url: http://localhost:8080
        process: python3
      nodeStep: true
      type: RestartApp
    keepgoing: false
    strategy: node-first

We specify a uuid here so that we know how to refer to it from other jobs, otherwise Rundeck will assign a random uuid.

We can test the restart using our playground Docker environment:

make rd-run-job JOB=RestartApp

# Found matching job: RestartApp RestartApp
# Execution started: [5] RestartApp /RestartApp <http://127.0.0.1:4440/project/hello-project/execution/show/5>
Restarting python3 app
Waiting for app to stop
Waiting for app to start and return 200
Done
Restarting python3 app
Waiting for app to stop
Waiting for app to start and return 200
Done

Modifying the app config

Now we can create a step to update the configured database login on the application nodes. In your production environment you might use a configuration management tool like Ansible or Chef to accomplish this but here we use a simple Python script. We can add this to the providers key of rundeck-plugins/db-creds/plugin.yaml:

  - name: UpdateDBCredentials
    service: RemoteScriptNodeStep
    plugin-type: script
    script-interpreter: /usr/local/bin/python3
    script-file: change_password.py
    script-args: /etc/web.yaml ${config.user} ${config.password}
    config:
      - type: String
        name: user
        title: user
        description: 'db user'
      - type: String
        name: password
        title: password
        description: 'db password'
        renderingOptions:
          valueConversion: "STORAGE_PATH_AUTOMATIC_READ"

Note the valueConversion: "STORAGE_PATH_AUTOMATIC_READ" setting to able to refer to a path in Key Storage for the database password.

Corresponding job config rundeck-project/jobs/UpdateAppConfig.yaml:

- name: UpdateAppConfig
  uuid: UpdateAppConfig
  nodefilters:
    filter: web_.*
  options:
  - label: Database user
    name: dbuser
    required: true
  scheduleEnabled: true
  sequence:
    commands:
    - nodeStep: true
      configuration:
        user: ${option.dbuser}
        password: keys/projects/hello-project/db/${option.dbuser}
      type: UpdateDBCredentials
    keepgoing: false
    strategy: node-first

In the job, we expose an option to the job user to specify the database user to set the config to. We use that value as part of the Key Storage path to look up the password. By using a naming convention for the key path, we hide the details of the Key Storage setup from the job user.

We can test it with:

make rd-run-job JOB=UpdateAppConfig JOB_OPTIONS='-dbuser web2'

# Found matching job: UpdateAppConfig UpdateAppConfig
# Execution started: [6] UpdateAppConfig /UpdateAppConfig <http://127.0.0.1:4440/project/hello-project/execution/show/6>
Updating /etc/web.yaml with db user credentials: web2
Done
Updating /etc/web.yaml with db user credentials: web2
Done

Creating the new db login

Creating a new database login requires a super user database login plus a user and password for the new login. Add this to the providers key of rundeck-plugins/db-creds/plugin.yaml:

  - name: CreateDBUser
    service: RemoteScriptNodeStep
    plugin-type: script
    script-interpreter: /bin/bash
    script-file: create-db-user.sh
    script-args: ${config.master_db_user} ${config.master_db_password} ${config.new_user} ${config.new_password} ${config.role}
    config:
      - type: String
        name: master_db_user
        title: master_db_user
        description: 'master db user'
        default: master1
      - type: String
        name: master_db_password
        title: master_db_password
        description: 'master db user password'
        default: keys/projects/hello-project/db/master1
        renderingOptions:
          valueConversion: "STORAGE_PATH_AUTOMATIC_READ"
      - type: String
        name: new_user
        title: new_user
        description: 'New db user'
      - type: String
        name: new_password
        title: new_password
        description: 'New db password'
        renderingOptions:
          valueConversion: "STORAGE_PATH_AUTOMATIC_READ"
      - type: String
        name: role
        title: role
        description: 'Database role to grant the new user'

Corresponding job config rundeck-project/jobs/CreateDbUser.yaml:

- name: CreateDbUser
  uuid: CreateDbUser
  nodefilters:
    filter: web_1
  options:
  - label: Master db user version
    name: master_user_version
    required: false
    value: '1'
  - label: Web db user version
    name: web_user_version
    required: true
  sequence:
    commands:
    - nodeStep: true
      configuration:
        master_db_user: master${option.master_user_version}
        master_db_password: keys/projects/hello-project/db/master${option.master_user_version}
        new_user: web${option.web_user_version}
        new_password: keys/projects/hello-project/db/web${option.web_user_version}
        role: web
      type: CreateDBUser
    keepgoing: false
    strategy: node-first

make rd-run-job JOB=CreateDbUser JOB_OPTIONS='-web_user_version 2'

# Found matching job: CreateDbUser CreateDbUser
# Execution started: [7] CreateDbUser /CreateDbUser <http://127.0.0.1:4440/project/hello-project/execution/show/7>
GRANT ROLE

Deleting the old db login

Updating rundeck-plugins/db-creds-plugin/plugin.yaml:

  - name: DeleteDBUser
    service: RemoteScriptNodeStep
    plugin-type: script
    script-interpreter: /bin/bash
    script-file: delete-db-user.sh
    script-args: ${config.master_db_user} ${config.master_db_password} ${config.user}
    config:
      - type: String
        name: master_db_user
        title: master_db_user
        description: 'master db user'
        default: master1
      - type: String
        name: master_db_password
        title: master_db_password
        description: 'master db user password'
        default: keys/projects/hello-project/db/master1
        renderingOptions:
          valueConversion: "STORAGE_PATH_AUTOMATIC_READ"
      - type: String
        name: user
        title: user
        description: 'db user to delete'

And the corresponding job rundeck-project/jobs/DeleteDbUser.yaml:

- name: DeleteDbUser
  uuid: DeleteDbUser
  nodefilters:
    filter: web_1
  options:
  - label: Master db user version
    name: master_user_version
    required: false
    value: '1'
  - label: Web db user version
    name: web_user_version
    required: true
  sequence:
    commands:
    - nodeStep: true
      configuration:
        master_db_user: master${option.master_user_version}
        master_db_password: keys/projects/hello-project/db/master${option.master_user_version}
        user: web${option.web_user_version}
      type: DeleteDBUser

make rd-run-job JOB=DeleteDbUser JOB_OPTIONS='-web_user_version 1'

# Found matching job: DeleteDbUser DeleteDbUser
# Execution started: [9] DeleteDbUser /DeleteDbUser <http://127.0.0.1:4440/project/hello-project/execution/show/9>
DROP ROLE

Tying it all together

To tie all the steps together into a single job, we can use job reference steps. rundeck-project/jobs/RotateDbCredentials.yaml:

- name: RotateDbCredentials
  uuid: RotateDbCredentials
  options:
  - label: master_user_version
    name: master_user_version
    value: '1'
  - label: web_user_version
    name: web_user_version
    required: true
  - label: prev_web_user_version
    name: prev_web_user_version
    required: true
  sequence:
    commands:
    - jobref:
        name: CreateDbUser
        uuid: CreateDbUser
        nodeStep: 'true'
        importOptions: true
    - jobref:
        name: UpdateAppConfig
        uuid: UpdateAppConfig
        nodeStep: 'true'
        args: -dbuser web${option.web_user_version}
    - jobref:
        name: RestartApp
        name: RestartApp
        nodeStep: 'true'
    - jobref:
        name: DeleteDbUser
        uuid: DeleteDbUser
        nodeStep: 'true'
        args: -master_user_version ${option.master_user_version} -web_user_version ${option.prev_web_user_version}
    keepgoing: false
    strategy: sequential

We’ll need a new user and password, which we can create in the Key Storage:

echo 'An0th3r!S3cr3t' > rundeck-project/key-storage/keys/projects/hello-project/db/web3

Then running the job should push the new key. We need to specify both the new version and the previous version that needs deleting.

make rd-run-job JOB=RotateDbCredentials JOB_OPTIONS='-web_user_version 3 -prev_web_user_version 2'

# Created: keys/projects/hello-project/db/web3 [password]
# Found matching job: RotateDbCredentials RotateDbCredentials
# Execution started: [7] RotateDbCredentials /RotateDbCredentials <http://127.0.0.1:4440/project/hello-project/execution/show/7>
GRANT ROLE
Updating /etc/web.yaml with db user credentials: web3
Done
Updating /etc/web.yaml with db user credentials: web3
Done
Restarting python3 app
Waiting for app to stop
Waiting for app to start and return 200
Done
Restarting python3 app
Waiting for app to stop
Waiting for app to start and return 200
Done
DROP ROLE

And there you have it: a single command to rotate your database credentials!