-
-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add way to change the credentials of a connection pool without recreating the whole pool object (secret rotation) #743
Comments
Hello @jankatins the use case is not covered, but I can see its usefulness, thank you for detailing it. I assume we can add a method like
I'm not convinced to make the pool active with a callback to poll for infrastructure change. I think it's the program's responsibility to push for changes, furthermore providing and documenting a method to call is much easier than accepting a callback (libraries are easier than frameworks). The work above is relatively simple... except closing the connections currently served when they are returned. It might require more changes than the rest, because at the moment the pool doesn't have a link to the connections that were given away and that therefore must be invalidated. We should either keep a map of them or annotate them in a way that will mark the need to close them on putconn. All in all I am ok with introducing these changes but I'm not sure about the bandwidth I have, for other works I am doing at the moment and because soonish I would like to wrap up with psycopg 3.2. Are you able to provide a MR? Alternatively can your company fund this work? |
Ok, most of this looks straight forward. For the "expiring" of old connections: I see that each connection is "marked" with the pool. One idea would be add a "version" in the pool which would simply increase in case the conninfo is updated. In a new Another idea would be simply not do anything: given that the default expiry of connections is about one hour, I would assume that old credentials are valid that long. Re "callback to poll for changes": one nice thing is that the Would any of these ideas be acceptable? If so I would create a MR for this. |
Yes, that's an option but, as we are refactoring this code, I'm considering whether adding a dictionary with the "given" connections (mapping Maintaining this mapping would be done in the same critical sections where
I don't know about that, for instance if someone uses this feature because they want to rotate credentials immediately to switch to a different server. |
Sounds good, let me try to build a PR for this. (might take a week longer or so: I'm currently moving flats) |
We have the requirement to rotate the PG credentials every x days. Currently this means that we have to restart the service or at least replace the connection pool everywhere.
It would be nice if one could add a small helper thread which would look if the mounted credential have been changed and if so, would update the conninfo in the central connection pool and the pool would then drain the connection and replace them with new ones.
It would be even nicer, if one could give the pool a way to query for the conninfo and the pool would do that from time to time.
If there are already recommended ways: it would be nice to give some recipe in the docs, at least my google skills didn't let anything show up :-(
The text was updated successfully, but these errors were encountered: