Lookup password for each new connection

91 views
Skip to first unread message

ralph.hy...@gmail.com

unread,
Nov 22, 2018, 7:22:12 AM11/22/18
to HikariCP
Hi,

Our app needs to retrieve the DB password from a secrets manager.  There is an agent running adjacent to our app that we talk to when retrieving the password.  Doing this at app startup is no problem.

The problem is that the secrets manager is configured to rotate the password every 90 days (or even before or after that time).

I'm wondering is there a way I can intervene in all calls to driver.connect(jdbcUrl, driverProperties) in order to lookup the password from the agent each time?  I am aware that this is not a nice approach but I don't seem to have any other choices.  I'm assured that the password lookup from the local agent will be fast.  On the Oracle server there is also a policy in place where by the DB account will lock up after 3 failed password connection attempts so it's obviously quite important that I don't allow any stale password attempts.

I see there is a PR for using a password supplier: https://github.com/brettwooldridge/HikariCP/pull/1196 but that is not available yet.

One way I was thinking to handle it was the have a scheduled task run that reads the password from the agent and updates the pool password via the HikariConfigMXBean but doing this I have noticed the password is not changed in the driverProperties when the next connection request is made to the driver.   I've seen other posts relating to this functionality so I'm guessing it should work fine.  Can you point to where I'm going wrong with this?

Thanks


Ralph Hyland

unread,
Dec 4, 2018, 2:49:38 AM12/4/18
to hika...@googlegroups.com
Any ideas on this one? Thanks 

--
You received this message because you are subscribed to the Google Groups "HikariCP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hikari-cp+...@googlegroups.com.
Visit this group at https://groups.google.com/group/hikari-cp.
For more options, visit https://groups.google.com/d/optout.

Brett Wooldridge

unread,
Dec 10, 2018, 2:13:14 PM12/10/18
to HikariCP
I recommend using the HikariCP MBeans to alter the username/password at runtime.  See this resolved issue.

-Brett

ralph.hy...@gmail.com

unread,
Dec 13, 2018, 9:50:39 AM12/13/18
to HikariCP
Hi Brett,

I'm currently using Spring Boot 2.0.2 which uses HikariCP 2.7.9 so that implementation is not available there.

I will take a look at upgrading to HikariCP 3.1.0 and attempt it.

Thanks
Reply all
Reply to author
Forward
0 new messages