Skip to content

[DPE-5248] Add pgAudit #612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Sep 19, 2024
Merged

[DPE-5248] Add pgAudit #612

merged 11 commits into from
Sep 19, 2024

Conversation

marceloneppel
Copy link
Member

@marceloneppel marceloneppel commented Sep 3, 2024
edited
Loading

Issue

The pgAudit plugin/extension is available in the latest revision of the Charmed PostgreSQL snap, but not in this charm.

Solution

Expose pgAudit as another plugin/extension charm config option and enable it when requested by:

  • Using the new snap, which contains the pgAudit plugin/extension.
  • Adding pgaudit to the PostgreSQL shared_preload_libraries parameter.
  • Configuring the requested parameters from DPE-2573 on lib/charms/postgresql_k8s/v0/postgresql.py.

Added new unit and integration tests.

Also, some adjustments were made in the plugin retrieval, which is used in the config-changed and database-requested hook handlers.

This is a port of canonical/postgresql-k8s-operator#688.

@marceloneppel
Add pgAudit
0ad5d69 
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel
Update snap revisions
09967de 
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@codecov Codecov
Copy link

codecov bot commented Sep 4, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.89%. Comparing base (01cfd3e) to head (e928fca).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #612      +/-   ##
==========================================
+ Coverage   70.81%   70.89%   +0.08%     
==========================================
  Files          12       12              
  Lines        3039     3048       +9     
  Branches      537      539       +2     
==========================================
+ Hits         2152     2161       +9     
  Misses        771      771              
  Partials      116      116

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@marceloneppel
Add pgAudit and integration test
896db48 
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel
Fix integration test
ea52557 
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel
Merge remote-tracking branch 'origin/main' into dpe-5248-add-pgaudit
c45976a 
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel
Remove txt file
7d7d413 
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel
Add unit test
dc32116 
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel marceloneppel marked this pull request as ready for review September 12, 2024 20:45
taurus-forever
taurus-forever reviewed Sep 12, 2024
View reviewed changes
Copy link
Contributor

@taurus-forever taurus-forever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

config.yaml Outdated
type: boolean
description: Enable timescaledb extension
plugin_audit_enable:
default: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JFYI, Audit plugin has been enabled on MySQL by default (for login actions only). Please check with @7annaba3l

@taurus-forever
Copy link
Contributor

Please update PR description: s/rock/snap/

@marceloneppel
Copy link
Member Author

Please update PR description: s/rock/snap/

Thanks, Alex! I updated the description.

@marceloneppel
Merge remote-tracking branch 'origin/main' into dpe-5248-add-pgaudit
fc7813e 
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel
Enable pgAudit by default
26ad2c0 
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel
Copy link
Member Author

Enable pgAudit by default

Thanks for pointing that out, Alex! After syncing with Mohamed, I updated the plugin to enable it by default on 26ad2c0.

taurus-forever
taurus-forever approved these changes Sep 17, 2024
View reviewed changes
Copy link
Contributor

@taurus-forever taurus-forever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but I would invert the test logic to be close to the real scenarios.

tests/unit/test_charm.py Outdated
default: false
type: boolean
plugin_audit_enable:
default: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are testing possibility to enable pgaudit.
IMHO, we should keep default true, but test possibility of disabling it in the test below.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! Fixed on e1d2916.

@marceloneppel
Enable/disable the plugin at the unit test
e1d2916 
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel
Fix test_no_password_exposed_on_logs
e928fca 
Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>
@marceloneppel marceloneppel merged commit ca3c587 into main Sep 19, 2024
94 checks passed
@marceloneppel marceloneppel deleted the dpe-5248-add-pgaudit branch September 19, 2024 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taurus-forever taurus-forever taurus-forever approved these changes

@dragomirp dragomirp dragomirp approved these changes

+1 more reviewer

@lucasgameiroborges lucasgameiroborges lucasgameiroborges approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
Libraries: Out of sync
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@marceloneppel @taurus-forever @dragomirp @lucasgameiroborges