Skip to content

Enable replication connections by default in pg_hba.conf #222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 19, 2018
Merged

Enable replication connections by default in pg_hba.conf #222

merged 2 commits into from
Jun 19, 2018

Conversation

myii
Copy link
Contributor

@myii myii commented Jun 13, 2018

Upstream commit:

When installing version 10, default pg_hba.conf additionally contains:

# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            md5
host    replication     all             ::1/128                 md5

myii added 2 commits June 13, 2018 02:07
@myii
Enable replication connections by default in pg_hba.conf
311cb3d 
Upstream commit:

- postgres/postgres@be37c21
- 9 Mar 2017
- master REL_11_BETA1 REL_10_4 ... REL_10_BETA1
@myii
Set default version to 10
9fdce93
@aboe76 aboe76 requested a review from noelmcloughlin June 16, 2018 19:02
@myii
Copy link
Contributor Author

myii commented Jun 16, 2018

@noelmcloughlin I've just added another commit, to separate the v10+ acls. Now these are only applied when the PostgreSQL server version is 10+. No spamming earlier versions.

Test output for version '9.6' (formatted):

[
    [u'local', u'all', u'all', u'peer'],
    [u'host', u'all', u'all', u'127.0.0.1/32', u'md5'],
    [u'host', u'all', u'all', u'::1/128', u'md5']
]

Test output for version '10' (formatted):

[
    [u'local', u'all', u'all', u'peer'],
    [u'host', u'all', u'all', u'127.0.0.1/32', u'md5'],
    [u'host', u'all', u'all', u'::1/128', u'md5'],
    [u'local', u'replication', u'all', u'peer'],
    [u'host', u'replication', u'all', u'127.0.0.1/32', u'md5'],
    [u'host', u'replication', u'all', u'::1/128', u'md5']
]

@myii myii force-pushed the PR_psql10_acls branch from f847974 to eb729ff Compare June 16, 2018 20:47
noelmcloughlin
noelmcloughlin suggested changes Jun 17, 2018
View reviewed changes
Copy link
Contributor

@noelmcloughlin noelmcloughlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @myii for the valuable PR. I just have some minor comments which are easy to resolve.

postgres/defaults.yaml
@@ -2,7 +2,7 @@

postgres:
use_upstream_repo: True
version: '9.5'
version: '10'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting10 as "default" should be okay. Debian stretch ships with version 9.6 but the version parameter is paired with use_upstream_repo: True and version 10 seems to be widely available upstream, and for Debian stretch too. Approved.

postgres/defaults.yaml Outdated
@@ -47,6 +47,12 @@ postgres:
- ['host', 'all', 'all', '127.0.0.1/32', 'md5']
# IPv6 local connections:
- ['host', 'all', 'all', '::1/128', 'md5']
acls_v10:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Syntax and content looks fine. Consider changing identifier name from acls_v10 to acls_replication.

Copy link
Contributor

@vutny vutny Jun 17, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure that having multiple settings for ACL is really that good idea.
I have checked PostgreSQL docs, and it seams the replication settings are supported starting at least from PG release 9.0.

So I think it would be no harm to include these ACL rules by default for any PG version.

postgres/server/init.sls Outdated
@@ -107,6 +107,10 @@ postgresql-conf:
{%- endif %}

{%- set pg_hba_path = salt['file.join'](postgres.conf_dir, 'pg_hba.conf') %}
{%- set acls = postgres.acls %}
{%- if postgres.version|to_num >= 10 %}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use int instead of to_num (salt v2018), or even str_to_num (salt v2017). In this case the Jinja builtin filters are more portable. Not everybody uses latest Salt versions in production.

vutny
vutny suggested changes Jun 17, 2018
View reviewed changes
Copy link
Contributor

@vutny vutny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@noelmcloughlin @myii
I doubt about adding additional Pillar key for the replication case. Please see my comment below.

postgres/defaults.yaml Outdated
@@ -47,6 +47,12 @@ postgres:
- ['host', 'all', 'all', '127.0.0.1/32', 'md5']
# IPv6 local connections:
- ['host', 'all', 'all', '::1/128', 'md5']
acls_v10:
Copy link
Contributor

@vutny vutny Jun 17, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure that having multiple settings for ACL is really that good idea.
I have checked PostgreSQL docs, and it seams the replication settings are supported starting at least from PG release 9.0.

So I think it would be no harm to include these ACL rules by default for any PG version.

@noelmcloughlin
Copy link
Contributor

Good catch @vutny. The purpose of the upstream commit was to "Enable replication connections by default in pg_hba.conf" so feature already existed. I too would prefer one [acls] block.

@myii
Copy link
Contributor Author

myii commented Jun 17, 2018 via email

@myii myii force-pushed the PR_psql10_acls branch from eb729ff to 9fdce93 Compare June 17, 2018 23:37
@myii
Copy link
Contributor Author

myii commented Jun 18, 2018

@noelmcloughlin @vutny Rebased to remove the superfluous commit. Ready for final checks.

noelmcloughlin
noelmcloughlin approved these changes Jun 18, 2018
View reviewed changes
Copy link
Contributor

@noelmcloughlin noelmcloughlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent work, thanks!!

@aboe76 aboe76 merged commit aa91079 into saltstack-formulas:master Jun 19, 2018
@aboe76
Copy link
Contributor

aboe76 commented Jun 19, 2018

Merged ! @myii @noelmcloughlin @vutny thanks for the work

@myii
Copy link
Contributor Author

myii commented Jun 19, 2018

You're welcome.

@myii myii deleted the PR_psql10_acls branch June 19, 2018 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vutny vutny vutny requested changes

@noelmcloughlin noelmcloughlin noelmcloughlin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@myii @noelmcloughlin @aboe76 @vutny