google.registry.privileges.secretmanager.SqlCredentialStore

public class SqlCredentialStore extends Object

Storage of SQL users' login credentials, backed by Cloud Secret Manager.

A user's credential is stored with one level of indirection using two secret IDs: Each version of the credential data is stored as follows: its secret ID is determined by getCredentialDataSecretId(SqlUser, String dbInstance), and the value of each version is a SqlCredential, serialized using SqlCredential.toFormattedString(). The 'live' version of the credential is saved under the 'live pointer' secret explained below.

The pointer to the 'live' version of the credential data is stored as follows: its secret ID is determined by getLiveLabelSecretId(SqlUser, String dbInstance); and the value of each version is a SecretVersionName in String form, pointing to a version of the credential data. Only the 'latest' version of this secret should be used. It is guaranteed to be valid.

The indirection in credential storage makes it easy to handle failures in the credential change process.

Method Summary

Modifier and Type

Method

Description

void

createOrUpdateCredential(SqlUser user, String password)

void

deleteCredential(SqlUser user)

SqlCredential

getCredential(SqlUser user)

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details
- getCredential
  
  public SqlCredential getCredential(SqlUser user)
- createOrUpdateCredential
  
  public void createOrUpdateCredential(SqlUser user, String password)
- deleteCredential
  
  public void deleteCredential(SqlUser user)

Class SqlCredentialStore

Method Summary

Methods inherited from class java.lang.Object

Method Details

getCredential

createOrUpdateCredential

deleteCredential