Juju Charms Collection
postgresql package

Merge lp:~stub/charms/precise/postgresql/docs into lp:charms/postgresql

  1. Precise Pangolin (12.04)
  2. docs
  3. Merge into trunk
Proposed by Stuart Bishop
Status: Merged
Merge reported by: Tim Van Steenburgh
Merged at revision: not available
Proposed branch: lp:~stub/charms/precise/postgresql/docs
Merge into: lp:charms/postgresql
Diff against target: 70 lines (+56/-0)
1 file modified
README.md (+56/-0)
To merge this branch: bzr merge lp:~stub/charms/precise/postgresql/docs
Reviewer Review Type Date Requested Status
Tim Van Steenburgh (community) Approve
Cory Johns (community) Approve
Review via email: mp+239541@code.launchpad.net

Description of the change

After migrating some systems between OpenStack clouds, it became apparent
that database permissions need to be documented.

Document this. I'd like to provide a mechanism for the PostgreSQL
charm to automatically manage database permissions, which will be
suitable for most setups, but until this science fiction becomes fact
this documentation will have to do.

To post a comment you must log in.
Revision history for this message
Cory Johns (johnsca) wrote :

Stuart,

Thanks for adding this documentation. It looks great.

You might want to check out the solution Matty came up with in [1] for keeping the passwords stable on relation changes without storing the actual password.

[1]: https://code.launchpad.net/~mattyw/charms/precise/mongodb/auth_experiment/+merge/162887

review: Approve
Revision history for this message
Stuart Bishop (stub) wrote :

Ta.

The fundamental problem remains the same no matter how we store passwords or keep them stable unfortunately. If we bring up a new service from backup, we need to publish passwords to client units. Thus the backup needs to include the passwords in plaintext, or we need to regenerate the passwords.

We might be able to get stable usernames though, which is the biggest problem, if we stop using the relationship id when generating them and instead use the database service name and client service name. Then, if we bring up a system using the same service names related in the same ways, then the usernames would be identical to the old system and match what is stored in the recovered database.

Revision history for this message
Cory Johns (johnsca) wrote :

Ah, you're right that the mongodb charm isn't dealing with a backup / restore scenario, so the particular trick isn't sufficient in this case. Not changing the password on every relation-change event still seems like it could be less confusing for the admin, though it might also encourage too much reliance on the password being stable and cause the problems you mentioned in the docs during a restore.

The mongodb charm also uses the unit number as part of the stable username, which would change during a restore operation. I assume that if a given service has multiple units for scaling, they would want to share the same database credentials, allowing your idea for stable usernames to work?

Revision history for this message
Tim Van Steenburgh (tvansteenburgh) wrote :

+1 LGTM, thanks stub.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'README.md'
--- README.md 2014-08-21 12:53:31 +0000
+++ README.md 2014-10-24 10:45:44 +0000
@@ -100,6 +100,61 @@
100automatically generated user for `db-admin` relations is a PostgreSQL100automatically generated user for `db-admin` relations is a PostgreSQL
101superuser.101superuser.
102102
103## Database Permissions and Disaster Recovery
104
105⚠ These two topics are entwined, because failing to follow best
106 practice with your database permissions will make your life difficult
107 when you need to recover after failure.
108
109_Always_ set the 'roles' relationship setting when joining a
110relationship. _Always_ grant permissions to database roles for _all_
111database objects your charm creates. _Never_ rely on access permissions
112given directly to a user, either explicitly or implicitly (such as being
113the user who created a table). Consider the users you are provided by
114the PostgreSQL charm as ephemeral. Any rights granted directly to them
115will be lost if relations are recreated, as the generated usernames will
116be different. _If you don't follow this advice, you will need to
117manually repair permissions on all your database objects after any of
118the available recovery mechanisms._
119
120Learn about the SQL `GRANT` statement in the excellect [PostgreSQL
121reference guide][3].
122
123### block-storage-broker
124
125If you are using external storage provided by the block storage broker,
126recovery or a failed unit is simply a matter of ensuring the old unit
127is fully shut down, and then bringing up a fresh unit with the old
128external storage mounted. The charm will see the old database there
129and use it.
130
131If you are unable or do not wish to to simply remount the same
132filesystem, you can of course copy all the data from the old filesystem
133to the new one before bringing up the new unit.
134
135### dump/restore
136
137PostgreSQL dumps, such as those that can be scheduled in the charm, can
138be recovered on a new unit by using 'juju ssh' to connect to the new unit
139and using the standard PostgreSQL `pg_restore(1)` tool. This new unit must
140be standalone, or the master unit. Any hot standbys will replicate the
141recovered data from the master.
142
143You will need to use `pg_restore(1)` with the `--no-owner` option, as
144users that existed in the old service will not exist in the new
145service.
146
147### PITR
148
149If you had configured WAL-E, you can recover a WAL-E backup and replay
150to a point in time of your choosing using the `wal-e` tool. This
151will recover the whole database cluster, so all databases will be
152replaced.
153
154If there are any hot standby units, they will need to be destroyed
155and recreated after the PITR recovery.
156
157
103## During db-relation-joined158## During db-relation-joined
104159
105### the client service provides:160### the client service provides:
@@ -304,3 +359,4 @@
304359
305 [1]: https://bugs.launchpad.net/charms/+source/postgresql/+bug/1258485360 [1]: https://bugs.launchpad.net/charms/+source/postgresql/+bug/1258485
306 [2]: https://github.com/wal-e/wal-e361 [2]: https://github.com/wal-e/wal-e
362 [3]: http://www.postgresql.org/docs/9.3/static/sql-grant.html

Subscribers

People subscribed via source and target branches