nixos/postgresql: improve local peer authentication with default map (#404315)

pyrox.dev / nixpkgs

fork atom

lol

fork atom

authored by

Wolfgang Walther and committed by

GitHub 11 months ago 797c149b 4d7ffdf2

+63 -8

5 changed files

expand all

nixos

doc

manual

redirects.json

modules

services

continuous-integration

hydra

default.nix

databases

postgresql.md

postgresql.nix

tests

postgresql

postgresql.nix

nixos/doc/manual/redirects.json

··· 1286 1286 "module-services-postgres-initializing-extra-permissions-service-user-oneshot": [ 1287 1287 "index.html#module-services-postgres-initializing-extra-permissions-service-user-oneshot" 1288 1288 ], 1289 + "module-services-postgres-authentication": [ 1290 + "index.html#module-services-postgres-authentication" 1291 + ], 1292 + "module-services-postgres-authentication-user-mapping": [ 1293 + "index.html#module-services-postgres-authentication-user-mapping" 1294 + ], 1289 1295 "module-services-postgres-upgrading": [ 1290 1296 "index.html#module-services-postgres-upgrading" 1291 1297 ],

+5 -7

nixos/modules/services/continuous-integration/hydra/default.nix

··· 564 564 services.postgresql.enable = lib.mkIf haveLocalDB true; 565 565 566 566 services.postgresql.identMap = lib.optionalString haveLocalDB '' 567 - hydra-users hydra hydra 568 - hydra-users hydra-queue-runner hydra 569 - hydra-users hydra-www hydra 570 - hydra-users root hydra 571 - # The postgres user is used to create the pg_trgm extension for the hydra database 572 - hydra-users postgres postgres 567 + hydra hydra hydra 568 + hydra hydra-queue-runner hydra 569 + hydra hydra-www hydra 570 + hydra root hydra 573 571 ''; 574 572 575 573 services.postgresql.authentication = lib.optionalString haveLocalDB '' 576 - local hydra all ident map=hydra-users 574 + local all hydra peer map=hydra 577 575 ''; 578 576 579 577 };

+32

nixos/modules/services/databases/postgresql.md

··· 170 170 } 171 171 ``` 172 172 173 + ## Authentication {#module-services-postgres-authentication} 174 + 175 + Local connections are made through unix sockets by default and support [peer authentication](https://www.postgresql.org/docs/current/auth-peer.html). 176 + This allows system users to login with database roles of the same name. 177 + For example, the `postgres` system user is allowed to login with the database role `postgres`. 178 + 179 + System users and database roles might not always match. 180 + In this case, to allow access for a service, you can create a [user name map](https://www.postgresql.org/docs/current/auth-username-maps.html) between system roles and an existing database role. 181 + 182 + ### User Mapping {#module-services-postgres-authentication-user-mapping} 183 + 184 + Assume that your app creates a role `admin` and you want the `root` user to be able to login with it. 185 + You can then use [](#opt-services.postgresql.identMap) to define the map and [](#opt-services.postgresql.authentication) to enable it: 186 + 187 + ```nix 188 + services.postgresql = { 189 + identMap = '' 190 + admin root admin 191 + ''; 192 + authentication = '' 193 + local all admin peer map=admin 194 + ''; 195 + } 196 + ``` 197 + 198 + ::: {.warning} 199 + To avoid conflicts with other modules, you should never apply a map to `all` roles. 200 + Because PostgreSQL will stop on the first matching line in `pg_hba.conf`, a line matching all roles would lock out other services. 201 + Each module should only manage user maps for the database roles that belong to this module. 202 + Best practice is to name the map after the database role it manages to avoid name conflicts. 203 + ::: 204 + 173 205 ## Upgrading {#module-services-postgres-upgrading} 174 206 175 207 ::: {.note}

+16

nixos/modules/services/databases/postgresql.nix

··· 274 274 Defines the mapping from system users to database users. 275 275 276 276 See the [auth doc](https://postgresql.org/docs/current/auth-username-maps.html). 277 + 278 + There is a default map "postgres" which is used for local peer authentication 279 + as the postgres superuser role. 280 + For example, to allow the root user to login as the postgres superuser, add: 281 + 282 + ``` 283 + postgres root postgres 284 + ``` 277 285 ''; 278 286 }; 279 287 ··· 674 682 (mkBefore "# Generated file; do not edit!") 675 683 (mkAfter '' 676 684 # default value of services.postgresql.authentication 685 + local all postgres peer map=postgres 677 686 local all all peer 678 687 host all all 127.0.0.1/32 md5 679 688 host all all ::1/128 md5 680 689 '') 681 690 ]; 691 + 692 + # The default allows to login with the same database username as the current system user. 693 + # This is the default for peer authentication without a map, but needs to be made explicit 694 + # once a map is used. 695 + services.postgresql.identMap = mkAfter '' 696 + postgres postgres postgres 697 + ''; 682 698 683 699 services.postgresql.systemCallFilter = mkMerge [ 684 700 (mapAttrs (const mkDefault) {

+4 -1

nixos/tests/postgresql/postgresql.nix

··· 54 54 services.postgresql = { 55 55 inherit package; 56 56 enable = true; 57 + identMap = '' 58 + postgres root postgres 59 + ''; 57 60 # TODO(@Ma27) split this off into its own VM test and move a few other 58 61 # extension tests to use postgresqlTestExtension. 59 62 extensions = ps: with ps; [ plv8 ]; ··· 73 76 in 74 77 '' 75 78 def check_count(statement, lines): 76 - return 'test $(sudo -u postgres psql postgres -tAc "{}"|wc -l) -eq {}'.format( 79 + return 'test $(psql -U postgres postgres -tAc "{}"|wc -l) -eq {}'.format( 77 80 statement, lines 78 81 ) 79 82