Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DEVOPS-30643: adds pgbouncer config to set the role before running SQL commands. #391

Merged
merged 3 commits into from
Jan 14, 2025
Merged

DEVOPS-30643: adds pgbouncer config to set the role before running SQL commands. #391

merged 3 commits into from
Jan 14, 2025

Conversation

leandrorichardtoledo
Copy link
Contributor

  • This adds the server_reset_query configuration to pgbouncer.ini file to allow the queries to be executed with the role (spire-user) and not the user (spire-user_a);

@leandrorichardtoledo leandrorichardtoledo self-assigned this Jan 14, 2025
drewwells
drewwells reviewed Jan 14, 2025
View reviewed changes
Copy link
Contributor

@drewwells drewwells left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any test you can add to verify the role permission behavior?

dbproxy/pgbouncer/config.go Outdated
@@ -156,6 +96,9 @@ func parseURI(c *PGBouncerConfig, dsn string) error {
return fmt.Errorf("invalid_scheme: %s", u.Scheme)
}

// Remove the _<a|b> suffix from the username.
c.RoleName = strings.Split(u.User.Username(), "_")[0]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we be more explicit here and pass in the exact role name ?
We don't prevent developers from putting _ in their username and then this parsing would fail.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pushed the change.

@leandrorichardtoledo
Copy link
Contributor Author

@drewwells

Is there any test you can add to verify the role permission behavior?

I ran the test I described in the ticket DEVOPS-30643;
The next test I was looking for was to merge this and test on boxes 3 and 4 with the spire server.

@leandrorichardtoledo @drewwells
Update dbproxy/pgbouncer/config.go
6afac31 
Co-authored-by: Drew Wells <dwells@infoblox.com>
@leandrorichardtoledo leandrorichardtoledo merged commit 84f1a71 into main Jan 14, 2025
3 checks passed
@leandrorichardtoledo leandrorichardtoledo deleted the DEVOPS-30643 branch January 14, 2025 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drewwells drewwells drewwells approved these changes

@bfabricio bfabricio Awaiting requested review from bfabricio

Assignees

@leandrorichardtoledo leandrorichardtoledo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@leandrorichardtoledo @drewwells