add support for multiple host auth when requesting db
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
PostgreSQL Charm |
Triaged
|
Medium
|
Unassigned | ||
pgsql Interface for charms.reactive |
Triaged
|
Medium
|
Unassigned |
Bug Description
This is a feature request, not a bug!
I talked about this on the #juju irc channel but allow me formally describe the feature request here. When a charm uses the pgsql interface and requests a database through 'set_database()' it would be interesting to have more options to pass through (hosts and users). In my specific use case I request a database in charm A (on host A) but host B also requires access to the database. My charm A provides the details to B (acts as a proxy) but postgresql itself only allows host A in his pg_hba.conf file while an entry for host B should also be made. Allow me to illustrate:
Charm/Host B (x.y.z.b) ---- (connected) ---- Charm/Host A (x.y.z.a) ---- (pgsql interface) ---- postgresql
Feature Request:
Something like this where a list of hosts could be passed as a parameter to the set_database()
```
hosts = ['x.y.z.b']
pgsql.set_
```
or a seperate function
```
hosts = ['x.y.z.b']
pgsql.set_
pgsql.allow_
```
So that an entry is added for the same database but for host x.y.z.a in the pg_hba.conf file.
Note that the extra_pg_auth option of the postgresql charm makes it possible but with the above feature no manual steps are needed anymore!
Thanks in advance.
I don't see any problem with this. While clients should not be trusted, this doesn't seem to increase risk.
Update the interface to request a list of CIDRs be given access.
Update the PostgreSQL charm to grant access in pg_hba.conf to the ranges.
pgbouncer does not need to be updated, as it doesn't do IP level access controllers and can just ignore the setting if the interface requests it.