Feature dynamic hba #412
Feature dynamic hba #412
Conversation
|
./test does not launch on OSX either |
aeafb6b to
28caa8f
Compare
There was a problem hiding this comment.
@t0k4rt Thanks for the PR!
We develop and test stolon on GNU/Linux so it isn't tested on macosx (but github.com/sorintlab/tcpkeepalive/tcpkeepalive should be fixed to at least compile on macosx).
As an initial review:
-
you should drop the
updated vendormega commit which add tons of files without explaining the reasons. If you have to update some vendored dependencies please open another different issue/PR explaining the reasons. -
Changing the generated hba entries will probably break the current behavior for someone reyling on it also for external replication. It'll be better to enable it only if a cluster spec option is set. For example we could define an option called
DefaultReplAccessthat can have two values:all(default) andonlyfollowers. -
See the other inline comments.
cmd/keeper/keeper.go
Outdated
| @@ -1512,7 +1513,8 @@ func (p *PostgresKeeper) postgresKeeperSM(pctx context.Context) { | |||
|
|
|||
| if !reflect.DeepEqual(db.Spec.PGHBA, pgm.CurHba()) { | |||
| log.Infow("postgres hba entries changed, reloading postgres instance") | |||
| pgm.SetHba(db.Spec.PGHBA) | |||
| // Dynamicly generate hba auth from clusterData | |||
| pgm.SetHba(append(db.Spec.PGHBA, p.generateHBA(cd)...)) | |||
There was a problem hiding this comment.
The generated hba entries should be inserted before the user provided hba entries.
cmd/keeper/keeper.go
Outdated
| @@ -1512,7 +1513,8 @@ func (p *PostgresKeeper) postgresKeeperSM(pctx context.Context) { | |||
|
|
|||
| if !reflect.DeepEqual(db.Spec.PGHBA, pgm.CurHba()) { | |||
| log.Infow("postgres hba entries changed, reloading postgres instance") | |||
| pgm.SetHba(db.Spec.PGHBA) | |||
| // Dynamicly generate hba auth from clusterData | |||
| pgm.SetHba(append(db.Spec.PGHBA, p.generateHBA(cd)...)) | |||
There was a problem hiding this comment.
don't append again here but do the append directly inside generateHBA.
|
No Problems, I'll change that ! |
don't worry and welcome to the wonderful world of Go! Feel free to ask for any doubt (here on on gitter). |
ed08ded to
470480e
Compare
|
Hi, I updated the code as requested. In case user select all:
In case user select standby:
I tested the binary on a linux server, it works as expected. |
cmd/keeper/keeper.go
Outdated
| @@ -89,6 +89,7 @@ type config struct { | |||
| pgSUPasswordFile string | |||
| pgInitialSUUsername string | |||
| pgInitialSUPasswordFile string | |||
| defaultReplAccess string | |||
There was a problem hiding this comment.
Sorry, I meant to set it as a cluster spec option, so it could be set globally: https://github.com/sorintlab/stolon/blob/master/pkg/cluster/cluster.go#L186
cmd/keeper/keeper.go
Outdated
| fmt.Sprintf("host all %s %s %s\n", p.pgSUUsername, "::0/0", p.pgSUAuthMethod), | ||
| ) | ||
| // allow only for master server replication access | ||
| if role == common.RoleMaster { |
There was a problem hiding this comment.
This is a change from the current behaviour and it's breaking the standby cluster feature and related tests. So it should be removed.
There was a problem hiding this comment.
I don't understand why it breaks.
Master pg_hba should only allow replication user to connect from standby servers.
Disbaled or enabling replication user on standby server should not have any effects.
When a standby server is promoted, its pg_hba should be automatically updated and would contain the right rules.
There was a problem hiding this comment.
Stolon can also be in standby cluster mode. In this case the master keeper manages a standby instance that will sync with an external instance. So the other keepers will sync from it (cascading replication) and the above check will break.
I suggested to just remove it because to keep backward compatibility with "all" mode we have to keep the previous rules.
There was a problem hiding this comment.
Ok, changes done. It should be ok !
|
I got during tests this issue, So I'm going to do more tests |
pkg/cluster/cluster.go
Outdated
| // Allow hba access to all members (0.0.0.0/0) | ||
| PgHBAAccessAll PgHBAAccessMode = "all" | ||
| // Allow hba access to standby server only | ||
| PgHBAAccessStandby PgHBAAccessMode = "standby" |
cmd/keeper/keeper.go
Outdated
| // Dynamically generate hba auth from clusterData | ||
| var hbaBase []string | ||
|
|
||
| if cluster.PgHBAAccessAll == *cd.Cluster.Spec.PgHBAAccess { |
There was a problem hiding this comment.
Use cd.Cluster.DefSpec().PgHBAAccess or you'll miss the default values when not provided and it'll panic like done now on semaphore.
cmd/keeper/keeper.go
Outdated
| // Dynamically generate hba auth from clusterData | ||
| var hbaBase []string | ||
|
|
||
| if cluster.PgHBAAccessAll == *cd.Cluster.Spec.PgHBAAccess { |
pkg/cluster/cluster.go
Outdated
| @@ -243,6 +259,10 @@ type ClusterSpec struct { | |||
| ExistingConfig *ExistingConfig `json:"existingConfig,omitempty"` | |||
| // Standby setting when role is standby | |||
| StandbySettings *StandbySettings `json:"standbySettings,omitempty"` | |||
| // Set default hba auth for replication user and superuser. | |||
| // Values can be "all" or "standby", "all" allow access to all ips, "standby" restrict master access to standby servers ips. | |||
pkg/cluster/cluster.go
Outdated
| // Set default hba auth for replication user and superuser. | ||
| // Values can be "all" or "standby", "all" allow access to all ips, "standby" restrict master access to standby servers ips. | ||
| // default is "all" | ||
| PgHBAAccess *PgHBAAccessMode `json:"pgHBAAccess,omitempty"` |
There was a problem hiding this comment.
I'll call this DefaultSUReplAccessMode, longer but a bit clearer. Other Suggestions?
There was a problem hiding this comment.
We could use:
- DefaultSUReplAccessMode as option
- SUReplAccessMode as type
- DefaultSUReplAccess as default value
- SUReplAccessAll and SUReplAccessStrict as option names
Is it ok for you ?
cmd/keeper/keeper.go
Outdated
| @@ -1510,9 +1511,11 @@ func (p *PostgresKeeper) postgresKeeperSM(pctx context.Context) { | |||
| log.Infow("postgres parameters not changed") | |||
| } | |||
|
|
|||
| if !reflect.DeepEqual(db.Spec.PGHBA, pgm.CurHba()) { | |||
| // Dynamicly generate hba auth from clusterData | |||
| new_hba := p.generateHBA(cd, localRole, db.Spec.PGHBA) | |||
|
@sgotti I've got an issue when I try to update my ClusterSpec, |
| // TODO(sgotti) Configure this dynamically based on our followers provided by the clusterview | ||
| f.WriteString(fmt.Sprintf("host replication %s %s %s\n", p.replUsername, "0.0.0.0/0", p.replAuthMethod)) | ||
| f.WriteString(fmt.Sprintf("host replication %s %s %s\n", p.replUsername, "::0/0", p.replAuthMethod)) | ||
|
|
||
| if p.hba != nil { | ||
| for _, e := range p.hba { | ||
| f.WriteString(e + "\n") |
There was a problem hiding this comment.
You have forgot to handle the "else" case below inside generateHBA. Here it'll always be skipped since p.hba is never empty.
There was a problem hiding this comment.
Ok, this means that previously, when p.hba was empty, the generated hba was:
host replication repluser 0.0.0.0/0 md5
host replication repluser ::0/0 md5
host all superuser 0.0.0.0/0 md5
host all superuser ::0/0 md5
host all all 0.0.0.0/0 md5
host all all ::0/0 md5
which is same as this:
host all all 0.0.0.0/0 md5
host all all ::0/0 md5
but simpler so I think this should be the result in "all" access mode.
In "strict" access mode we should not use this rule.
There was a problem hiding this comment.
Not always, the first lines can have a different auth method than md5 (currently only trust but in future other methods could be added), while the last lines are added only if there's no user provided pgHBA and always have md5. I'd prefer to not change the current logic.
There was a problem hiding this comment.
Yes you're right !
For the strict mode, I still would prefer not to add this rule.
There was a problem hiding this comment.
It may be confusing but these are two separate things. The first lines (the one affected by this patch to set the DefaultSuReplAccessMode) are for instance replication, the latter is a default when the user doesn't provide a PGHBA. So I'll leave them distinct and not make DefaultSuReplAccessMode change this.
There was a problem hiding this comment.
Ok I understand !
Can I plan a DefaultUserAccessMode feature ?
There was a problem hiding this comment.
@t0k4rt you can already do the same providing an empty (not nil) pgHBA in the clusterspec. No need for a new options.
cmd/keeper/keeper.go
Outdated
| hbaBase = append( | ||
| hbaBase, | ||
| fmt.Sprintf("host all %s %s %s\n", p.pgSUUsername, "0.0.0.0/0", p.pgSUAuthMethod), | ||
| fmt.Sprintf("host all %s %s %s\n", p.pgSUUsername, "::0/0", p.pgSUAuthMethod), |
There was a problem hiding this comment.
remove \n in all the lines or an empty line will be added
What do you mean by "not persisted"? I tried a stolonctl patch and it has been applied to the cluster spec and the pghba file has been updated (with some problems, see my comments) by the keepers. |
|
@sgotti Ok the not persisted issue is because I've got a cluster running two different versions of the keeper. The other keeper does not know the new key so it might removes it. |
The unique component that writes the cluster data is the sentinel (and stolonctl) so perhaps you had an old sentinel. |
pkg/postgresql/postgresql.go
Outdated
| @@ -713,30 +713,14 @@ func (p *Manager) writePgHba() error { | |||
|
|
|||
| // Minimal entries for local normal and replication connections needed by the stolon keeper | |||
| // Matched local connections are for postgres database and suUsername user with md5 auth | |||
| // Matched local replicaton connections are for replUsername user with md5 auth | |||
| // Matched local replication connections are for replUsername user with md5 auth | |||
| f.WriteString(fmt.Sprintf("local postgres %s %s\n", p.suUsername, p.suAuthMethod)) | |||
| f.WriteString(fmt.Sprintf("local replication %s %s\n", p.replUsername, p.replAuthMethod)) | |||
There was a problem hiding this comment.
In the meantime I'll also move these lines in generateHBA and make writePgHba() a function that just writes the pgHBA file without custom logic inside.
cmd/keeper/keeper.go
Outdated
| "host all all 0.0.0.0/0 md5", | ||
| "host all all ::0/0 md5", | ||
| ) | ||
| } |
There was a problem hiding this comment.
this must be at the end. After the stolon generated rules.
cmd/keeper/keeper.go
Outdated
| } | ||
|
|
||
| // when no custom hba is set, we default to open to all | ||
| if len(userHba) == 0 { |
There was a problem hiding this comment.
don't use len but check if it's nil or not like currently done. So you can distinguis between a not provided (nil) or a provided but empty pgHBA.
pkg/cluster/cluster.go
Outdated
| @@ -243,6 +257,10 @@ type ClusterSpec struct { | |||
| ExistingConfig *ExistingConfig `json:"existingConfig,omitempty"` | |||
| // Standby setting when role is standby | |||
| StandbySettings *StandbySettings `json:"standbySettings,omitempty"` | |||
| // Set default hba auth for replication user and superuser. | |||
| // Values can be "all" or "strict", "all" allow access to all ips, "strict" restrict master access to standby servers ips. | |||
pkg/cluster/cluster.go
Outdated
| @@ -243,6 +257,10 @@ type ClusterSpec struct { | |||
| ExistingConfig *ExistingConfig `json:"existingConfig,omitempty"` | |||
| // Standby setting when role is standby | |||
| StandbySettings *StandbySettings `json:"standbySettings,omitempty"` | |||
| // Set default hba auth for replication user and superuser. | |||
There was a problem hiding this comment.
Define the mode of the default hba rules needed for replication by standby keepers (the su and repl auth methods will be the one provided in the keeper command line options)
There was a problem hiding this comment.
Thanks for the patience. A batch of some other comments.
Can you also update the clusterspec doc to add the new parameter?
cmd/keeper/keeper.go
Outdated
| // allow only for master replication access | ||
| if role == common.RoleMaster { | ||
| // we should not allow replication acces for 127.0.0.1 since it can be then forwarded through proxy. | ||
| for _, db := range cd.DBs { |
cmd/keeper/keeper.go
Outdated
| ) | ||
| // allow only for master replication access | ||
| if role == common.RoleMaster { | ||
| // we should not allow replication acces for 127.0.0.1 since it can be then forwarded through proxy. |
There was a problem hiding this comment.
This will break the standby cluster cascading replication, we should also match a master keeper that has a standby role in a standby cluster .
I suggest to add a function like (similar to
stolon/cmd/sentinel/sentinel.go
Line 452 in 70464d3
// IsMaster return if the db is the cluster master db.
// A master is a db that:
// * Has a master db role
// or
// * Has a standby db role with followtype external
func IsMaster(db *cluster.DB) bool {
switch db.Spec.Role {
case common.RoleMaster:
return true
case common.RoleStandby:
if db.Spec.FollowConfig.Type == cluster.FollowTypeExternal {
return true
}
return false
default:
panic("invalid db role in db Spec")
}
}
Then change generateHBA role common.Role parameter to master bool and use it in the above check
BTW It's not triggered by the tests because the new SUReplAccessStrict isn't tested anywhere. We should add/change some integration tests to also test this option. Perhaps I can do this in another PR.
There was a problem hiding this comment.
No problems, I'll check that !
I'll update the cluster spec too
Concerning an integration test I'll check too but not sure I'll managed to do something good enough ...
There was a problem hiding this comment.
Concerning an integration test I'll check too but not sure I'll managed to do something good enough ...
Don't worry, I could add something later. Unfortunately integration tests of distributed system is quite tedious and complex...
cmd/keeper/keeper.go
Outdated
| if role == common.RoleMaster { | ||
| // we should not allow replication acces for 127.0.0.1 since it can be then forwarded through proxy. | ||
| for _, db := range cd.DBs { | ||
| // allow slaves only to connect as replication user to master |
There was a problem hiding this comment.
better to put the comments above their related code line.
a31fc9f to
c983d48
Compare
|
@sgotti Hello, everything should be fixed. |
There was a problem hiding this comment.
I created in this commit: sgotti@cfc5a03 an unit test for generataHBA. There're also some changes explained in the review comments and discovered thanks to this test. You can just cherry pick it and put it in your branch.
cmd/keeper/keeper.go
Outdated
| // we should not allow replication acces for 127.0.0.1 since it can be then forwarded through proxy. | ||
| computedHBA = append( | ||
| computedHBA, | ||
| fmt.Sprintf("host all %s %s %s", p.pgSUUsername, "127.0.0.1/32", p.pgSUAuthMethod), |
cmd/keeper/keeper.go
Outdated
| computedHBA := []string{ | ||
| fmt.Sprintf("local postgres %s %s\n", p.pgSUUsername, p.pgSUAuthMethod), | ||
| fmt.Sprintf("local replication %s %s\n", p.pgReplUsername, p.pgReplAuthMethod), | ||
| } |
cmd/keeper/keeper.go
Outdated
| // Case strict access mode | ||
| case cluster.SUReplAccessStrict: | ||
| // allow for all servers su access | ||
| // we should not allow replication acces for 127.0.0.1 since it can be then forwarded through proxy. |
There was a problem hiding this comment.
Sorry but I forgot why this is needed. The comment isn't really clear and doesn't looks related to the added rules.
cmd/keeper/keeper.go
Outdated
| computedHBA = append( | ||
| computedHBA, | ||
| fmt.Sprintf("host all %s %s %s", p.pgSUUsername, "127.0.0.0/8", p.pgSUAuthMethod), | ||
| fmt.Sprintf("host all %s %s %s", p.pgSUUsername, "::1/128", p.pgSUAuthMethod), |
There was a problem hiding this comment.
Sorry but I don't remember why these line are needed. If really needed a comment explaining the reason will be useful.
There was a problem hiding this comment.
Actually It's not mandatory since we already have
fmt.Sprintf("local postgres %s %s", p.pgSUUsername, p.pgSUAuthMethod)
I can drop this
|
@t0k4rt Can you import the unit test I made in sgotti@cfc5a03 and squash and rebase against the current master? Thanks! |
|
@sgotti Hello, I couldn't manage to cherry pick your commit so I included the test manually. I hope it's okay. |
|
@t0k4rt unfortunately you have to rebase you branch on the current master and it'll be better if you squash all your commits in only one commit. If you have some problems doing it let me know. |
0a6d0ac to
ed2bf96
Compare
|
@sgotti I think this should be ok, could you check ? |
|
@t0k4rt can you please squash your commits in an unique one? |
e976ee8 to
b173d62
Compare
|
@sgotti I'm sorry, I merged my branch with your master to resolve conflict and squashed commits with rebase. But there are still conflict. Could you help me ? |
|
@t0k4rt I rebased your branch using Take it here: sgotti@1f4d429 |
9565ae8 to
c2db550
Compare
|
@sgotti Is it better now ? I picked your commit into my branch. |
|
@t0k4rt sorry but it's not just my commit (I see 1157 changed files) so it's not rebased on current origin/master. You should do something like this: on your local branch:
then cherry pick my commit. The if you run Then force push your branch to github to update the PR. |
5d8a07f to
8cba671
Compare
|
@sgotti is it okay now ? I started again from sorintlab/stolon master branch. |
|
@t0k4rt We're almost there. I just noticed that the new functions in keeper.go are at the end of the file. I'll prefer to move them before but it's not a big deal. I also see a difference in two comments: |
add a cluster spec `defaultSUReplAccessMode` option that accepts two values: * all (default for backward compatibility) * strict In "strict" mode the generated pg_hba on the master will provide access for superuser and replication connections only from the keepers IPs having a configured standby db. In "all" mode access is granted from every host like always done before this patch.
8cba671 to
b58363e
Compare
|
@sgotti I put all *PostgresKeeper functions together and put the right comments. This should look good ! |
|
@t0k4rt Great! Thanks a lot of work and patience! Merging. |
|
@sgotti Grazie mille ! |
Hello,
We want to deploy Stolon in our architecture, but we noticed that connection to su and repl users are open to the world which is (imho) not good for a secure cluster.
We can deal with this with a firewall rule but I would prefer this to be setup correctly in the pg_hba.conf.
I saw a todo in your code concerning this issue so I decide to propose a fix. I'm not goloang developer nor sure it will match your coding standard or code organization wishes ... but it's a start.
The code simply read the cluster data generate a list of pghba entries and merges it with the
db.Spec.PGHBA.I found this to be the easiest solution.
Important to notice, it does not compile, I've got the current error:
I also changed the default su and repl connection to localhost.
I hope it can be useful for you !
Don't hesitate to tell me how I can improve this.
Thanks for this product !
Alexandre