Setting database/config options
89 views
Skip to first unread message
crinisus
Jan 8, 2020, 5:56:51 AM1/8/20
to vault...@googlegroups.com
HI there,
I'm trying to set this for one of our database configs and the below is the get request:
"request_id": “fdkfjkdfjkldjfkldjflkjk”,
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"allowed_roles": [
“my-read-role”,
“my-write-role”
],
"connection_details": {
"connection_url": "postgresql://myadminuser:mypas...@postgresdb.blah:5432/mydb?sslmode=require",
"max_connection_lifetime": "30s",
"max_idle_connections": 0,
"max_open_connections": 5
},
"plugin_name": "postgresql-database-plugin"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"allowed_roles": [
“my-read-role”,
“my-write-role”
],
"connection_details": {
"connection_url": "postgresql://myadminuser:mypas...@postgresdb.blah:5432/mydb?sslmode=require",
"max_connection_lifetime": "30s",
"max_idle_connections": 0,
"max_open_connections": 5
},
"plugin_name": "postgresql-database-plugin"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
And i'm looking at these options specifically:
"max_connection_lifetime": "30s",
"max_idle_connections": 0,
"max_open_connections": 5
"max_idle_connections": 0,
"max_open_connections": 5
But when i start for example 15 containers I only see one connection for myadminuser to the DB (for adding the users) and i would expect to see 5. I see the users get added to the DB, but it seems that vault uses 1 connection (with the myadminuser) rather than creating 5 connections (when I list active connections from the sql side).
My question is, was this supported in version 0.8.3 of vault, and if so, when would i see multiple connections for 'myadminuser' for creating the temp db users for the app to use to auth to the db?
Cheers,
Simon.
Michel Vocks
Jan 8, 2020, 8:06:30 AM1/8/20
to Vault
Hi Simon!
But when i start for example 15 containers I only see one connection for myadminuser to the DB (for adding the users) and i would expect to see 5. I see the users get added to the DB, but it seems that vault uses 1 connection (with the myadminuser) rather than creating 5 connections (when I list active connections from the sql side).
What exactly do you mean with "containers"? "max_open_connections" and "max_idle_connections" is passed to the specific database driver (https://github.com/hashicorp/vault/blob/master/builtin/logical/postgresql/backend.go#L121) which internally uses a connection pool to manage connections to the database. I think the implementation of this connection pool differs between the different database type drivers.
My question is, was this supported in version 0.8.3 of vault, and if so, when would i see multiple connections for 'myadminuser' for creating the temp db users for the app to use to auth to the db?
I think it was supported but I highly recommend to upgrade your Vault version. 0.8.3 is a quite old version which includes old security flaws which were fixed in the past several years.
Cheers,
Michel
crinisus
Jan 8, 2020, 8:20:42 AM1/8/20
to vault...@googlegroups.com
Hi Michel,
Thanks for your reply. :)
What I mean by containers, is that i have a bunch of containers which use approle authentication, so when they start up Vault connects to the postgres DB to add the users each container uses to connect to the DB.
When that process happens, from the DB side i see that Vault connects to the DB as the myadminuser (defined in the /database/config/mydb path in vault) to add the database users for the containers to use (the containers don't connect to the database as the myadminuser, they use dynamic users which the myadminuser creates on the db).
What i expect with max_open_connections is in the instance you start a large number of containers, when vault connects to the DB to add the users, will it connect to the DB as myadminuser a number of times, e.g if you set max_open_connections as 5, will it connect to the DB 5 times (in parallel) to add the users? My idea is to avoid container start up delay because the max_open_connections is set to a low value.
I've added the configuration to vault, but when i start a large amount of containers using approle authentication, from the DB side, i only see 1 connection from the myadminuser so am not sure my change actually works.
Cheers,
Simon.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7f792dd7-db0e-4293-9d78-3aeee2036e8c%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages