Sharing a DB user password among units of the app
Andreas Hasenack
andreas at canonical.com
Thu Mar 27 12:13:10 UTC 2014
On Thu, Mar 27, 2014 at 3:51 AM, Stuart Bishop
<stuart.bishop at canonical.com> wrote:
>> In effect it looks like I don't need to share the credentials among
>> the services?
>
> Correct. I think you are just fine with one relation per database and
> using the generated credentials, and using the granted roles to
> control database permissions.
I will have to try this in more detail. We already use the db-admin
relation to do everything we need with the database, because that's
how this is installed outside the world of juju. And that case still
has to work, of course.
One nag is that the db relation only gives me back one user, and
certain versions of our product need two. These have different
permissions. But I'll cross that bridge when I get to it.
Here I would need one "db" relation just to get the roles. I wouldn't
create the 6 databases here (how could I?), I would let the existing
code (not charm code: product code) do that as usual. Let's see how
far I get.
> To actually create the tables and grant permissions to the roles, you
> can use a db-admin relation (or perhaps 'juju-run' from a subordinate
> charm on the PostgreSQL service). Try to avoid the undocumented
> 'schema_user' and 'schema_password' set of credentials on the db
> relation that has permissions - there is a security hole there that
> needs to be closed up, probably by dropping the feature entirely (Bug
> #1167249).
Good to know, thanks.
More information about the Juju
mailing list