New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supply password via callback (to support AWS IAM Authentication) #2500
Comments
Yep, I think it would be the right way to move forward. |
Cool. I'll make a pr for further discussion |
Makes sense to me too - as you wrote it's similar to the delegates we already have to support certificate-based authentication. I'd go with the second overload (which accepts NpgsqlConnectionStringBuilder). One complication is that the username isn't always simply specified inside the builder (see |
If the username is non trivial then maybe having explicit params is better delegate string GetPassword(string host, string port, string database, string username); This is essentially replicating the password file format npgsql/src/Npgsql/PgPassFile.cs Lines 60 to 61 in 191643e
|
In theory someone may want to take into account other connection parameters beyond host/port/database/username. But I agree this is quite far-fetched, we can go with the broken-down version. |
Also passing |
This is in theory true, although the user who passed us the connection string in the first place is the same one which wired the callback - so I don't see too much reason to worry about this. But regardless, it seems fine to go ahead with the method accepting the different values instead. |
Just checking if you saw the PR i added here #2502 |
I saw it but haven't reviewed it yet. |
New connections will execute the delegate to obtain a password. This allows the use of dynamic passwords or tokens such as those used by Amazon RDS IAM Authentication. Fixes #2500
@roji Can you please double-check this PR to the AWS docs for accuracy? awsdocs/amazon-rds-user-guide#149 |
Done, thanks @bgrainger! |
Background
When using Postgres in AWS there is an option to authenticate using IAM. This generates a time-limited password based off the assumed role/access key your service is using. This means that when using AWS postgres (RDS) you dont need to have static passwords. Generated passwords are good for authentication for 15 minutes, once a connection is open it doesn't matter is the password has expired.
Using this presents some problems in Npgsql.
npgsql/src/Npgsql/PoolManager.cs
Line 26 in 191643e
So ideally we need to have access to a "fresh" password when ever opening a connection, while keeping the same connection pool.
Work around
Using
Passfile
on the connection string and keeping a file up-to-date on the filesystem with a currently valid password might work. This isn't ideal as you have to write the password to disk so npgsql can read it back in. You could have a different process writing the file, but most likely it would be the app itself managing this file. It's a little bit rube-goldberg.Proposal
Add the option of a delegate to
NpgsqlConnection
to generate a password on demand. This delegate would be used in theNpgsqlConnector
when opening a connection the same way as the current logic works for plaintext authentication in theGetPassword()
on line56
below. We can then leave the password out of the connection string allowing pooling to continue working how it currently does.npgsql/src/Npgsql/NpgsqlConnector.Auth.cs
Lines 54 to 66 in 191643e
An additional step in this
GetPassword()
function to use the delegate in this method would be fairly non-invasivenpgsql/src/Npgsql/NpgsqlConnector.Auth.cs
Lines 369 to 384 in 191643e
The delegate could be either of these
Prior Art for this approach
Npgsql already exposes some delegates on the
NpgsqlConnection
that are passed down to the connector, so there is prior art for this kind of behaviournpgsql/src/Npgsql/NpgsqlConnection.cs
Lines 717 to 723 in 7b8e117
npgsql/src/Npgsql/NpgsqlConnector.cs
Lines 245 to 252 in 191643e
The text was updated successfully, but these errors were encountered: