Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECZ-1477: Fix chained sessions for prod db access #16

Merged
merged 1 commit into from
May 16, 2024
Merged

SECZ-1477: Fix chained sessions for prod db access #16

merged 1 commit into from
May 16, 2024

Conversation

annemirasol
Copy link
Contributor

Fixes a bug due to DBs-production-dev-writer and DBs-production-dev-reader sessions already existing, with the old, incorrect role (PanoramaDBsEngineeringDefault) attached.

Manual testing

  1. Ran ./create-chained-sessions.sh
  2. Ran pan-psql rainbow production dev-writer
  3. Ran pan-psql rainbow production admin
  4. Ran pan-psql rainbow production dev-reader
~/Development/panorama/leapp-setup SECZ-1477-fix-prod-db-chained-sessions* 11s
❯ ./create-chained-sessions.sh
creating chained session for playground with persona admin
    looking for existing session k8s-playground-admin
    existing session found
creating chained session for playground with persona dev-writer
    looking for existing session k8s-playground-dev-writer
    existing session found
creating chained session for playground with persona dev-reader
    looking for existing session k8s-playground-dev-reader
    existing session found
creating chained session for playground with persona data-science-tester
    No parent session found for panorama-k8s-playground with role PanoramaK8sDSAR
creating chained session for playground with persona admin
    looking for existing session DBs-playground-admin
    existing session found
creating chained session for playground with persona dev-writer
    looking for existing session DBs-playground-dev-writer
    existing session found
creating chained session for playground with persona dev-reader
    looking for existing session DBs-playground-dev-reader
    existing session found
creating chained session for playground-2 with persona admin
    looking for existing session k8s-playground-2-admin
    existing session found
creating chained session for playground-2 with persona dev-writer
    looking for existing session k8s-playground-2-dev-writer
    existing session found
creating chained session for playground-2 with persona dev-reader
    looking for existing session k8s-playground-2-dev-reader
    existing session found
creating chained session for playground-2 with persona data-science-tester
    No parent session found for panorama-k8s-playground-2 with role PanoramaK8sDSAR
creating chained session for playground-2 with persona admin
    looking for existing session DBs-playground-2-admin
    existing session found
creating chained session for playground-2 with persona dev-writer
    looking for existing session DBs-playground-2-dev-writer
    existing session found
creating chained session for playground-2 with persona dev-reader
    looking for existing session DBs-playground-2-dev-reader
    existing session found
creating chained session for staging with persona admin
    looking for existing session k8s-staging-admin
    existing session found
creating chained session for staging with persona dev-writer
    looking for existing session k8s-staging-dev-writer
    existing session found
creating chained session for staging with persona dev-reader
    looking for existing session k8s-staging-dev-reader
    existing session found
creating chained session for staging with persona data-science-tester
    No parent session found for panorama-k8s-staging with role PanoramaK8sDSAR
creating chained session for staging with persona admin
    looking for existing session DBs-staging-admin
    existing session found
creating chained session for staging with persona dev-writer
    looking for existing session DBs-staging-dev-writer
    existing session found
creating chained session for staging with persona dev-reader
    looking for existing session DBs-staging-dev-reader
    existing session found
creating chained session for production with persona admin
    looking for existing session k8s-production-admin
    existing session found
creating chained session for production with persona dev-writer
    looking for existing session k8s-production-dev-writer
    existing session found
creating chained session for production with persona dev-reader
    looking for existing session k8s-production-dev-reader
    existing session found
creating chained session for production with persona data-science-tester
    No parent session found for panorama-k8s-production with role PanoramaK8sDSAR
creating chained session for production with persona admin
    looking for existing session DBs-production-admin
    existing session found
deleting session DBs-production-dev-writer
creating chained session for production with persona dev-writer
    looking for existing session DBs-production-dev-writer
    no existing session found; starting session for panorama-DBs-production to get role arn
    creating new profile
    creating new session
deleting session DBs-production-dev-reader
creating chained session for production with persona dev-reader
    looking for existing session DBs-production-dev-reader
    no existing session found; starting session for panorama-DBs-production to get role arn
    creating new profile
    creating new session

~/Development/panorama/leapp-setup SECZ-1477-fix-prod-db-chained-sessions 57s
❯ pan-psql rainbow production dev-writer
Creating a new DB bastion session... localhost:27432 - accepting connections
success
Running psql... Starting chained Leapp session (this can take a while)... success
Generating RDS IAM token for app: rainbow and postgres user: dev_writer_role
psql (15.6 (Homebrew))
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

panorama_db=> \q
pan-psql disconnected!

~/Development/panorama/leapp-setup SECZ-1477-fix-prod-db-chained-sessions 17s
❯ pan-psql rainbow production admin
Creating a new DB bastion session... localhost:27432 - accepting connections
success
Running psql... Starting chained Leapp session (this can take a while)... success
Generating RDS IAM token for app: rainbow and postgres user: dev_writer_role
psql (15.6 (Homebrew))
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

panorama_db=> \q
pan-psql disconnected!

~/Development/panorama/leapp-setup SECZ-1477-fix-prod-db-chained-sessions 13s
❯ pan-psql rainbow production dev-reader
Creating a new DB bastion session... localhost:27432 - accepting connections
success
Running psql... Starting chained Leapp session (this can take a while)... success
Generating RDS IAM token for app: rainbow and postgres user: dev_writer_role
psql (15.6 (Homebrew))
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

panorama_db=> \q
pan-psql disconnected!

@annemirasol annemirasol force-pushed the SECZ-1477-fix-prod-db-chained-sessions branch from dc3d6e2 to c8b516c Compare May 15, 2024 19:57
@annemirasol annemirasol marked this pull request as ready for review May 15, 2024 19:59
chornbec
chornbec suggested changes May 15, 2024
View reviewed changes
Copy link
Contributor

@chornbec chornbec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this. Do you mind running pan-psql with the --persona flags? It looks like you're passing in a third arg for the persona, but the persona has to be in the --persona flag.

@annemirasol
Copy link
Contributor Author

Thanks for fixing this. Do you mind running pan-psql with the --persona flags? It looks like you're passing in a third arg for the persona, but the persona has to be in the --persona flag.

@chornbec Oof, good catch, thanks!

~/Development/panorama/leapp-setup SECZ-1477-fix-prod-db-chained-sessions
❯ pan-psql rainbow production --persona="admin"
Creating a new DB bastion session... localhost:27432 - accepting connections
success
Running psql... Starting chained Leapp session (this can take a while)... success
Generating RDS IAM token for app: rainbow and postgres user: dev_admin_role
psql (15.6 (Homebrew))
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

panorama_db=> \q
pan-psql disconnected!

~/Development/panorama/leapp-setup SECZ-1477-fix-prod-db-chained-sessions 15s
❯ pan-psql rainbow production --persona="dev-reader"
Creating a new DB bastion session... localhost:27432 - accepting connections
success
Running psql... Starting chained Leapp session (this can take a while)... success
Generating RDS IAM token for app: rainbow and postgres user: dev_reader_role
psql (15.6 (Homebrew))
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

panorama_db=> \q
pan-psql disconnected!

~/Development/panorama/leapp-setup SECZ-1477-fix-prod-db-chained-sessions 15s
❯ pan-psql rainbow production --persona="dev-writer"
Creating a new DB bastion session... localhost:27432 - accepting connections
success
Running psql... Starting chained Leapp session (this can take a while)... success
Generating RDS IAM token for app: rainbow and postgres user: dev_writer_role
psql (15.6 (Homebrew))
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

panorama_db=> \q
pan-psql disconnected!

@annemirasol annemirasol requested a review from chornbec May 15, 2024 22:51
chornbec
chornbec approved these changes May 16, 2024
View reviewed changes
Copy link
Contributor

@chornbec chornbec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see the following log lines...

Generating RDS IAM token for app: rainbow and postgres user: dev_admin_role
Generating RDS IAM token for app: rainbow and postgres user: dev_writer_role
Generating RDS IAM token for app: rainbow and postgres user: dev_reader_role

from your tests, so it looks like the --persona flag works for the writer and reader roles in production. LGTM!

@annemirasol annemirasol merged commit 76d6d10 into main May 16, 2024
2 checks passed
@annemirasol annemirasol deleted the SECZ-1477-fix-prod-db-chained-sessions branch May 16, 2024 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chornbec chornbec chornbec approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@annemirasol @chornbec