Skip to content

Password rotation #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 30 commits into from
Sep 2, 2022
Merged

Password rotation #26

merged 30 commits into from
Sep 2, 2022

Conversation

marceloneppel
Copy link
Member

@marceloneppel marceloneppel commented Aug 17, 2022
edited
Loading

Issue

  • Database charms should enable the human operator to rotate any system user (users that are need for the correct operation of the charm and/or the workload, like a superuser, a replication user, etc.) password.

Solution

  • Create an action to set system users passwords and propagate that password to all the other units.

Context

  • Users created through relations (legacy or new relations) are not covered by this mechanism. Those users will have the password rotated after a sequence of a broken relation and a new relation being established.
  • When updating a password using the set-password action, that password need to be update in the Patroni configuration (which also needs to be reloaded). The configuration is reloaded in the leader unit first and later on the other units (through relation changed event; that event already handles Patroni configuration changes and its reload process). There is no downtime in that processes.
  • Pebble service environment variables like PATRONI_REPLICATION_USERNAME and PATRONI_SUPERUSER_PASSWORD were moved to the configuration file to make it possible to update and reload them. Other variables should be moved to there in the future.
  • The new integration test from tests/integration/test_password_rotation.py rotate the two system users password and checks that they are correctly updated in all the units (which is checked after restarting Patroni; it would trigger an connection error in the Patroni process if the password is not updated).

Testing

  • Unit and integration tests were updated based in the new actions.
  • Additional unit and integration tests were added to validate the password rotation mechanism.

Release Notes

  • Add password rotation mechanism for all system users (users used by the charm/workload and that were not created through relations).

@marceloneppel
Change charm database user
fe8bd8b
@marceloneppel
Fix tests user
dd395f5
@marceloneppel
Add password rotation action
d325da6
@marceloneppel
Merge branch 'main' into password-rotation
4cf20fd
@marceloneppel
Merge branch 'main' into password-rotation
ca8f525
@marceloneppel
Rework secrets management
fc17a5e
@marceloneppel
Add unit tests
05b707e
@marceloneppel
Add constants
36640b2
@marceloneppel
Merge branch 'rework-secrets' into password-rotation
e345432
@marceloneppel
Update part of the code to correct actions
4735754
@marceloneppel
Merge branch 'main' into password-rotation
b8a3fd2
@marceloneppel
Implement password rotation
f7024e4
@marceloneppel
Improve messages
9c9b211
@marceloneppel
Improve get password test
4b7a534
@marceloneppel
Fix comment and remove unneeded else block
c92fdbc
@marceloneppel
Add set password unit test
0d7ea40
@marceloneppel
Improve unit test
71f86ac
@marceloneppel
Change helper function
a728a20
@marceloneppel
Add copyright notice
be497bc
@marceloneppel
Improve username retrieval
ef2bd31
@marceloneppel
Add initial code for password rotation test
8988aa3
@marceloneppel
Fix comment
7c75e45
@marceloneppel
Add test checks
34421e5
@marceloneppel
Small fix
4bc38b8
@marceloneppel
Add retry to helper function
14ec0f0
@marceloneppel
Fix lint problems
16dce63
@marceloneppel
Improve integration test
b6f2d8a
@marceloneppel marceloneppel marked this pull request as ready for review August 25, 2022 18:45
This was referenced Aug 26, 2022
Merged
Closed
Closed
@marceloneppel marceloneppel requested a review from WRFitch August 29, 2022 01:54
WRFitch
WRFitch previously approved these changes Aug 30, 2022
View reviewed changes
paulomach
paulomach previously approved these changes Aug 31, 2022
View reviewed changes
Copy link
Contributor

@paulomach paulomach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

WRFitch
WRFitch previously approved these changes Sep 1, 2022
View reviewed changes
paulomach
paulomach previously approved these changes Sep 1, 2022
View reviewed changes
Copy link
Contributor

@paulomach paulomach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

shayancanonical
shayancanonical reviewed Sep 1, 2022
View reviewed changes
src/charm.py

password = new_password()
if "password" in event.params:
password = event.params["password"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the set_password action has no password params defined

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! Fixed on 4be4ed0.

@marceloneppel marceloneppel dismissed stale reviews from paulomach and WRFitch via 4be4ed0 September 1, 2022 18:03
paulomach
paulomach approved these changes Sep 2, 2022
View reviewed changes
Copy link
Contributor

@paulomach paulomach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@marceloneppel marceloneppel merged commit 5a4aa0f into main Sep 2, 2022
@marceloneppel marceloneppel deleted the password-rotation branch September 2, 2022 10:23
github-actions bot added a commit to canonical/test-runners-2-github-x64-postgresql-k8s-operator that referenced this pull request May 18, 2024
@github-actions
Allure report canonical#26
cb2b75a
github-actions bot added a commit to canonical/test-runners-2-is-x64-postgresql-k8s-operator that referenced this pull request May 18, 2024
@github-actions
Allure report canonical#26
7173e50
BON4 pushed a commit to BON4/postgresql-k8s-operator that referenced this pull request May 20, 2024
@marceloneppel
Password rotation (canonical#26)
9128d34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paulomach paulomach paulomach approved these changes

@zmraul zmraul zmraul approved these changes

@shayancanonical shayancanonical shayancanonical approved these changes

@delgod delgod Awaiting requested review from delgod

@marcoppenheimer marcoppenheimer Awaiting requested review from marcoppenheimer

@Mehdi-Bendriss Mehdi-Bendriss Awaiting requested review from Mehdi-Bendriss

@MiaAltieri MiaAltieri Awaiting requested review from MiaAltieri

+1 more reviewer

@WRFitch WRFitch WRFitch approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@marceloneppel @paulomach @WRFitch @zmraul @shayancanonical