Juju Charms Collection
postgresql package

Merge lp:~stub/charms/precise/postgresql/docs into lp:charms/postgresql

  1. Precise Pangolin (12.04)
  2. docs
  3. Merge into trunk
Proposed by Stuart Bishop
Status: Merged
Merge reported by: Tim Van Steenburgh
Merged at revision: not available
Proposed branch: lp:~stub/charms/precise/postgresql/docs
Merge into: lp:charms/postgresql
Diff against target: 70 lines (+56/-0)
1 file modified
README.md (+56/-0)
To merge this branch: bzr merge lp:~stub/charms/precise/postgresql/docs
Reviewer Review Type Date Requested Status
Tim Van Steenburgh (community) Approve
Cory Johns (community) Approve
Review via email: mp+239541@code.launchpad.net

Description of the change

After migrating some systems between OpenStack clouds, it became apparent
that database permissions need to be documented.

Document this. I'd like to provide a mechanism for the PostgreSQL
charm to automatically manage database permissions, which will be
suitable for most setups, but until this science fiction becomes fact
this documentation will have to do.

To post a comment you must log in.
Revision history for this message
Cory Johns (johnsca) wrote :

Stuart,

Thanks for adding this documentation. It looks great.

You might want to check out the solution Matty came up with in [1] for keeping the passwords stable on relation changes without storing the actual password.

[1]: https://code.launchpad.net/~mattyw/charms/precise/mongodb/auth_experiment/+merge/162887

review: Approve
Revision history for this message
Stuart Bishop (stub) wrote :

Ta.

The fundamental problem remains the same no matter how we store passwords or keep them stable unfortunately. If we bring up a new service from backup, we need to publish passwords to client units. Thus the backup needs to include the passwords in plaintext, or we need to regenerate the passwords.

We might be able to get stable usernames though, which is the biggest problem, if we stop using the relationship id when generating them and instead use the database service name and client service name. Then, if we bring up a system using the same service names related in the same ways, then the usernames would be identical to the old system and match what is stored in the recovered database.

Revision history for this message
Cory Johns (johnsca) wrote :

Ah, you're right that the mongodb charm isn't dealing with a backup / restore scenario, so the particular trick isn't sufficient in this case. Not changing the password on every relation-change event still seems like it could be less confusing for the admin, though it might also encourage too much reliance on the password being stable and cause the problems you mentioned in the docs during a restore.

The mongodb charm also uses the unit number as part of the stable username, which would change during a restore operation. I assume that if a given service has multiple units for scaling, they would want to share the same database credentials, allowing your idea for stable usernames to work?

Revision history for this message
Tim Van Steenburgh (tvansteenburgh) wrote :

+1 LGTM, thanks stub.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'README.md'
2--- README.md 2014-08-21 12:53:31 +0000
3+++ README.md 2014-10-24 10:45:44 +0000
4@@ -100,6 +100,61 @@
5 automatically generated user for `db-admin` relations is a PostgreSQL
6 superuser.
7
8+## Database Permissions and Disaster Recovery
9+
10+⚠ These two topics are entwined, because failing to follow best
11+ practice with your database permissions will make your life difficult
12+ when you need to recover after failure.
13+
14+_Always_ set the 'roles' relationship setting when joining a
15+relationship. _Always_ grant permissions to database roles for _all_
16+database objects your charm creates. _Never_ rely on access permissions
17+given directly to a user, either explicitly or implicitly (such as being
18+the user who created a table). Consider the users you are provided by
19+the PostgreSQL charm as ephemeral. Any rights granted directly to them
20+will be lost if relations are recreated, as the generated usernames will
21+be different. _If you don't follow this advice, you will need to
22+manually repair permissions on all your database objects after any of
23+the available recovery mechanisms._
24+
25+Learn about the SQL `GRANT` statement in the excellect [PostgreSQL
26+reference guide][3].
27+
28+### block-storage-broker
29+
30+If you are using external storage provided by the block storage broker,
31+recovery or a failed unit is simply a matter of ensuring the old unit
32+is fully shut down, and then bringing up a fresh unit with the old
33+external storage mounted. The charm will see the old database there
34+and use it.
35+
36+If you are unable or do not wish to to simply remount the same
37+filesystem, you can of course copy all the data from the old filesystem
38+to the new one before bringing up the new unit.
39+
40+### dump/restore
41+
42+PostgreSQL dumps, such as those that can be scheduled in the charm, can
43+be recovered on a new unit by using 'juju ssh' to connect to the new unit
44+and using the standard PostgreSQL `pg_restore(1)` tool. This new unit must
45+be standalone, or the master unit. Any hot standbys will replicate the
46+recovered data from the master.
47+
48+You will need to use `pg_restore(1)` with the `--no-owner` option, as
49+users that existed in the old service will not exist in the new
50+service.
51+
52+### PITR
53+
54+If you had configured WAL-E, you can recover a WAL-E backup and replay
55+to a point in time of your choosing using the `wal-e` tool. This
56+will recover the whole database cluster, so all databases will be
57+replaced.
58+
59+If there are any hot standby units, they will need to be destroyed
60+and recreated after the PITR recovery.
61+
62+
63 ## During db-relation-joined
64
65 ### the client service provides:
66@@ -304,3 +359,4 @@
67
68 [1]: https://bugs.launchpad.net/charms/+source/postgresql/+bug/1258485
69 [2]: https://github.com/wal-e/wal-e
70+ [3]: http://www.postgresql.org/docs/9.3/static/sql-grant.html

Subscribers

People subscribed via source and target branches