Sharing a DB user password among units of the app
Andreas Hasenack
andreas at canonical.com
Wed Mar 26 20:49:24 UTC 2014
On Tue, Mar 25, 2014 at 12:07 PM, Stuart Bishop
<stuart.bishop at canonical.com> wrote:
>> The patch would be like: "GRANT DELETE ON TABLE person TO landscape".
>> That "landscape" is hardcoded, so that user has to exist and be the
>> user the services use. So your first paragraph above solves this
>> already, right? We give a list of users to postgresql via the
>> relation, and "landscape" is in that list.
>
> I see. If this is the issue, then the 'roles' feature already does
> what you need: 'relation-set roles=landscape' in your
> db-relation-joined hook, and the generated user will be granted the
> landscape role and inherit all its permissions (users and groups are
Interesting. So I tried with a dummy charm that joins the postgresql
db relation. I deployed it as pgsql-test and pgsql-test-second, so,
two services.
It sets database=landscape-test-main and roles=landscape,landscape_maintenance
These are the roles after both services have joined:
postgres=# \du
List of roles
Role name | Attributes
| Member of
--------------------------------+------------------------------------------------+-----------------------------------
db_27_pgsql_test |
| {landscape,landscape_maintenance}
db_27_pgsql_test_schema |
| {}
db_28_pgsql_test_second |
| {landscape,landscape_maintenance}
db_28_pgsql_test_second_schema |
| {}
landscape | Cannot login
| {}
landscape_maintenance | Cannot login
| {}
postgres | Superuser, Create role, Create DB,
Replication | {}
I have two users that can login, one per service: db_27_pgsql_test and
db_28_pgsql_test_second. These are different users, with different
credentials. Yet, once they login, they both have the same roles:
landscape and landscape_maintenance, correct? So whatever the
landscape role has in terms of permissions, db_27_pgsl_test will have
too.
In effect it looks like I don't need to share the credentials among
the services?
More information about the Juju
mailing list