New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create user in envtool
for PostgreSQL
#4133
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4133 +/- ##
==========================================
- Coverage 74.31% 73.80% -0.51%
==========================================
Files 353 353
Lines 22738 22739 +1
==========================================
- Hits 16897 16783 -114
- Misses 4552 4686 +134
+ Partials 1289 1270 -19
... and 12 files with indirect coverage changes
Flags with carried forward coverage won't be shown. Click here to find out more. |
cmd/envtool/envtool.go
Outdated
// | ||
// Without this, once the first user is created, the authentication fails | ||
// as username/password does not exist in admin.system.users collection. | ||
func setupUser(ctx context.Context, logger *zap.SugaredLogger, postgreSQLPort uint16) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does not replace setupUser() in integration test.
Because this function creates user in ferretdb database which postgreSQL schema, postgres://username@127.0.0.1:5432/ferretdb?pool_max_conns=50
.
Each integration test create its own schema like so, postgres://username@127.0.0.1:5432/testauthentication?pool_max_conns=50
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clarification! I was worried this could jeopardize running tests directly with go test
for a moment 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's still there for SQLite. It only has handler level authentication, and once the first user is created without this code, auth would fail.
It will be handled in a separate PR.
@@ -419,7 +419,7 @@ tasks: | |||
--proxy-addr=127.0.0.1:47017 | |||
--mode=diff-normal | |||
--handler=pg | |||
--postgresql-url='postgres://127.0.0.1:5433/ferretdb?search_path=' | |||
--postgresql-url='postgres://username:password@127.0.0.1:5433/ferretdb?search_path=' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For run-secured to work, what other better thing can I do?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That target was supposed to be for the "old" authentication that does not need credentials in the PostgreSQL URI. Why are they needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's because postgres started on port 5433 is created from postgres_secured
docker https://github.com/FerretDB/FerretDB/blob/main/docker-compose.yml#L28.
Unlike postgres
docker which has POSTGRES_HOST_AUTH_METHOD=trust
, postgres_secured
doesn't have trust
so username/password is required to connect to it.
@@ -27,12 +33,55 @@ import ( | |||
func TestCommandsAuthenticationLogout(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Logout does not fail on authentication check, if user is not authenticated, it just returns success.
This test was updated to use newly created user, because if it uses default username
/password
user and logs out in this test, t.Cleanup to drop collection fails due to not authenticate.
@@ -334,7 +334,8 @@ func insertBenchmarkProvider(tb testtb.TB, ctx context.Context, collection *mong | |||
func setupUser(tb testtb.TB, ctx context.Context, client *mongo.Client) { | |||
tb.Helper() | |||
|
|||
if IsMongoDB(tb) { | |||
if IsPostgreSQL(tb) || IsMongoDB(tb) { | |||
// the user is created in env tool for PostgreSQL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For SQLite we need something similar to have a database with default user. Will be handle in a separate PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And also for MySQL.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes that's true. MySQL hasn't been handled. let me see the status of MySQL backend
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MySQL and HANA backends are not yet supported, no need to do anything for them
envtool
for PostgreSQL
Pull request was converted to draft
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -419,7 +419,7 @@ tasks: | |||
--proxy-addr=127.0.0.1:47017 | |||
--mode=diff-normal | |||
--handler=pg | |||
--postgresql-url='postgres://127.0.0.1:5433/ferretdb?search_path=' | |||
--postgresql-url='postgres://username:password@127.0.0.1:5433/ferretdb?search_path=' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That target was supposed to be for the "old" authentication that does not need credentials in the PostgreSQL URI. Why are they needed?
err = setupUserInPostgres(ctx, logger, "postgres://username:password@127.0.0.1:5433/ferretdb") | ||
if err != nil { | ||
return err | ||
} | ||
|
||
return setupUserInPostgres(ctx, logger, "postgres://username:password@127.0.0.1:5433/template1") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand why those calls are not inside setupAnyPostgres
and what we are doing with credentials there
if _, err = dbPool.Exec(ctx, q); err != nil && (!errors.As(err, &pgErr) || pgErr.Code != pgerrcode.DuplicateSchema) { | ||
return err | ||
} | ||
|
||
if err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we could simply that by:
if errors.As(err, &pgErr) && pgErr.Code == pgerrcode.DuplicateSchema {
err = nil
}
if err != nil {
return err
}
} | ||
|
||
if err == nil { | ||
q = `CREATE UNIQUE INDEX "system_users_aff2f7ce__id__67399184_idx" ON admin.system_users_aff2f7ce (((_jsonb->'_id')))` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yikes!..
I wonder if we should step away from that and just implement the localhost exception that we are already working on.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes unfortunately this is something needed to be exposed.
It was copy and paste from log output, logic is too difficult to copy accurately 🙈
You know what, let me leave this PR for now and progress with local host exception.
@@ -334,7 +334,8 @@ func insertBenchmarkProvider(tb testtb.TB, ctx context.Context, collection *mong | |||
func setupUser(tb testtb.TB, ctx context.Context, client *mongo.Client) { | |||
tb.Helper() | |||
|
|||
if IsMongoDB(tb) { | |||
if IsPostgreSQL(tb) || IsMongoDB(tb) { | |||
// the user is created in env tool for PostgreSQL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MySQL and HANA backends are not yet supported, no need to do anything for them
Handler: h.MsgLogout, | ||
Help: "Logs out from the current session.", | ||
Handler: h.MsgLogout, | ||
anonymous: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's not forget to port fixes from that PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks yep that has been included in #4156
Description
To test it, I added
--test-enable-new-auth
flag in task filerun:
andrun-secured:
.It does not create user for SQLite, that will be handled in a separate PR.
Closes #1877.
Readiness checklist
task all
, and it passed.@FerretDB/core
), Milestone (Next
), Labels, Project and project's Sprint fields.