Database Password Rotation Support (Proxy Authentication)
In order to simplify rotating of database passwords, please follow these steps:
- Configure a mapping of the old password to new password via a HTTP call, with a browser, curl or other tool. A GUI login is required for the step:
http://demoa.heimdalldata.com:8087/api/tlkv/put?key=admin:heimdalltestasdf&value=heimdalltest&ttl=60000
Here, the old username and password is "admin:heimdalltestasdf" and the new password is "heimdall". The ttl is specified in milliseconds, so the above example expires this mapping in 60 seconds.
-
Change the password on the DB At this point, the password failure should be detected by the driver or proxy, and will be looked up via the configuration set with the URL, above
-
Rotate the passwords on the application/proxy side within the TTL specified. During this window, the old password will be replaced by the new one automatically. Once the TTL is done, the mapping is lost, and any old passwords will again be rejected.
The goal of this feature is to allow a fixed window where the old password can be used to connect to the DB which is configured to use the new password, without errors.