Closed lsowen closed 3 years ago
This allows the use of pgbedrock
in evironments where the "superuser" account is more limited than would typically be expected (eg AWS RDS, Google Cloud SQL).
Partially addresses #12.
Hey @lsowen, is there anything in version()
or elsewhere in Postgres that would indicate you're on RDS? Rather than adding a new keyword and lots of changes, I'd love to simply modify this line once PR #40 is merged.
@zcmarine at least version()
doesn't return anything unique: PostgreSQL 10.3 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.2 20140120 (Red Hat 4.8.2-16), 64-bit
There is a rds_superuser
that is likely fairly unique to RDS instances (similar to https://github.com/Squarespace/pgbedrock/pull/40/files#diff-4b27be23591885e3c2ee92ac1d152e3bR212 in #40)
One downside of the "automatic" handling of #40 is that it will (possibly unexpectedly) operate differently in different environments (eg one way in a local dev database with full privileges and a different way in prod on RDS/Google Cloud SQL).
Hey guys; any chance of this one coming back to life? I thought I had solved my pg role woes when I found this tonight only to smack straight into this issue.
^^ was wondering the same as @tkh I'm using AWS RDS. this tool looks perfect but needs this PR to be merged
Any chance of bringing this back from the dead? Could really use this!
@jfhbrook any chance of this happening? A lot of RDS folks (including me!) looking to use pgbedrock
RDS does have the rdsadmin
user. @zcmarine @zmarine We could do a query like:
SELECT count(*) > 0 AS in_rds FROM pg_catalog.pg_user WHERE usename = 'rdsadmin';
to determine if we're in RDS.
I'll look at the way that #40 works and see if I can apply something similar here.
Ah, checking it looks like #40 was never merged. So how do you want to approach this at this point? Getting RDS support would be a huge win for the company I'm at. It sounds like Google Cloud users would benefit as well.
What can I do to make this happen?
I like the spirit of this PR, it allows one to generate
a spec on an RDS but it doesn't seem to work with configure
, which complains about pg_authid even with --alternate-attributes-table
specified. That said, I would love to see this (and a Redshift solution) developed further.
What exactly are the issues other than password setting? I'd be happy to grab this and make alterations to get it merged. So far I've gathered: password reset doesn't work (this could be a known caveat since many like myself use a different tool for managing users) configure doesn't work (probably just need to add the changes that the original author added to that section) it requires a flag for the functionality which shouldn't be a blocker
Please indicate what else needs to be done to get this in a mergeable state and I will pick this up.
Context: Managing grants in postgres stinks and there is no better tool than this as far as I can tell
pg_roles is a "public" version of pg_authid, which allows use in more restricted environments (such as RDS). The downside is that password comparison doesn't work, as pg_roles only returns a dummy
********
password, so passwords update logic will be fired for each account on every run.Added
--alternate-attributes-table
to activate the use ofpg_role
, though the default is--no-alternate-attributes-table
so that the existing behavior of usingpg_authid
is preserved