Postgresql – How to manage SSL credentials for multiple Postgres connections

postgresqlssl

We're setting up Redash and need to connect to multiple Data Sources that are Postgres databases that require SSL connections. I have a postgres.key and postgres.crt file from each database. Redash is running as user redash on Ubuntu 16.04.

What should I do with these keys so that Redash (and the Python psycopg2 library, behind the scenes) can find the proper credentials to connect to the Data Sources?

The best I've been able to do is put one set of them in /home/redash/.postgresql, which is where psycopg2 looks for credentials by default. However, that doesn't allow me to connect to the second database.

Best Answer

use the sslcert and sslkey paramterer in the connection string to indicate the files you want.

https://www.postgresql.org/docs/10/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS

eg:

 con=psycopg2_connect(dsn='host=host1 user=yourname sslcert=host1.crt sskkey=host1.key')

probably something using string::format would be more practical.

If that seems too messy

Using a service definition to store the parameters is another option define the connection paramaters (like above) for each server in pg_services.conf (create that file) and use connection strings like

con=psycopg2_connect(dsn='service=host1')

https://www.postgresql.org/docs/10/static/libpq-pgservice.html

other clients (like psql) can also use the services thus defined, so this way will save you typing in the future.

but it seems redash is configured using environment variables with the database as as a URL perhaps like this:

like this with a service definition

export REDASH_DATABASE_URL=postgres:///?service=database1

like this explicitly:

export REDASH_DATABASE_URL="postgres://db_user@host.name.or.ip/db_name?sslcert=host1.crt&sskkey=host1.key"

from a bries sfan of the docs redash seems to use postgres for db_user and db_name

so far as I know libpq does not use a different interface for database names, connection strings, and database urls, where one can be used any other form can be used instead, however the redash docs say to use a URL.

https://www.postgresql.org/docs/10/static/libpq-connect.html#LIBPQ-CONNSTRING

Related Solutions

Postgresql – SQLAlchethe connection error with Postgres

Disclaimer - I'm not a huge sys admin buff, so my information may not be correct.. I also realize that the error says "host" - but I don't think that means it has to be a host entry in pg_hba.conf

When you connect to localhost, it uses the loopback address 127.0.0.1 (unless that configuration on your computer has been tampered with) to connect to your system, which counts as a "HOST" connection..

When you connect to "myComputer" (which happens to be your computer name), I'm pretty sure your OS is smart enough to say "oh hey! that's me!" and doesn't even bother resolving an ip address .. it just does a direct connection. This would be a "LOCAL" connection for postgres..

Try adding local all all ::1/128 trust to your pg_hba.conf file..

Then either restart the server, or connect as a superuser and issue select pg_reload_conf() (preferred method).

UPDATE: I tried instead of using the name of the machine, using it's static ipv4 IP address, which worked. The problem has something to do with the ipv6 connection.

That still works because it's still using a HOST connection (instead of a LOCAL one). Try what I suggest and see if you still get an error when connecting to the computer hostname.

PostgreSQL – How to Resolve SSL Required Error with PgBouncer

The reason that this command worked:

psql --set=sslmode=verify-full -h DBHOST -p DBPORT -U USERNAME DBNAME

Is that --set just creates a user-defined variable inside the psql program with the name of 'sslmode'. That name is not special to psql, it does nothing with your connection options and you just connect without ssl.

Best Answer

Related Solutions

Postgresql – SQLAlchethe connection error with Postgres

PostgreSQL – How to Resolve SSL Required Error with PgBouncer

Related Question