From dbda504f2c4011940b305aacb0594ef58eabf990 Mon Sep 17 00:00:00 2001 From: Thales Macedo Garitezi Date: Wed, 15 Feb 2023 11:57:45 -0300 Subject: [PATCH] fix(pgsql): fix ssl option for pgsql connector to match previous behavior (5.0) Fixes https://github.com/emqx/emqx/issues/9907 At v5.0.14, we changed the `ssl` option for the Postgres connector from `true` to `required`, but there was another transformation in `conn_opts/2` that led to an incorrect configuration. This change ended up preventing users from connecting to Postgres with their previous configurations after upgrading EMQX. --- .ci/docker-compose-file/pgsql/Dockerfile | 2 +- .ci/docker-compose-file/pgsql/pg_hba_tls.conf | 8 ++++++++ apps/emqx_connector/src/emqx_connector_pgsql.erl | 6 +++++- changes/v5.0.18/fix-9978.en.md | 2 ++ changes/v5.0.18/fix-9978.zh.md | 2 ++ 5 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 .ci/docker-compose-file/pgsql/pg_hba_tls.conf create mode 100644 changes/v5.0.18/fix-9978.en.md create mode 100644 changes/v5.0.18/fix-9978.zh.md diff --git a/.ci/docker-compose-file/pgsql/Dockerfile b/.ci/docker-compose-file/pgsql/Dockerfile index f26e18d0e..8598d3f33 100644 --- a/.ci/docker-compose-file/pgsql/Dockerfile +++ b/.ci/docker-compose-file/pgsql/Dockerfile @@ -1,7 +1,7 @@ ARG BUILD_FROM=postgres:13 FROM ${BUILD_FROM} ARG POSTGRES_USER=postgres -COPY --chown=$POSTGRES_USER ./pgsql/pg_hba.conf /var/lib/postgresql/pg_hba.conf +COPY --chown=$POSTGRES_USER ./pgsql/pg_hba_tls.conf /var/lib/postgresql/pg_hba.conf COPY --chown=$POSTGRES_USER certs/server.key /var/lib/postgresql/server.key COPY --chown=$POSTGRES_USER certs/server.crt /var/lib/postgresql/server.crt COPY --chown=$POSTGRES_USER certs/ca.crt /var/lib/postgresql/root.crt diff --git a/.ci/docker-compose-file/pgsql/pg_hba_tls.conf b/.ci/docker-compose-file/pgsql/pg_hba_tls.conf new file mode 100644 index 000000000..356afd9a6 --- /dev/null +++ b/.ci/docker-compose-file/pgsql/pg_hba_tls.conf @@ -0,0 +1,8 @@ +# TYPE DATABASE USER CIDR-ADDRESS METHOD +local all all trust +# TODO: also test with `cert`? will require client certs +hostssl all all 0.0.0.0/0 password +hostssl all all ::/0 password + +hostssl all www-data 0.0.0.0/0 cert clientcert=1 +hostssl all postgres 0.0.0.0/0 cert clientcert=1 diff --git a/apps/emqx_connector/src/emqx_connector_pgsql.erl b/apps/emqx_connector/src/emqx_connector_pgsql.erl index 890227b9d..1fc994275 100644 --- a/apps/emqx_connector/src/emqx_connector_pgsql.erl +++ b/apps/emqx_connector/src/emqx_connector_pgsql.erl @@ -100,7 +100,11 @@ on_start( case maps:get(enable, SSL) of true -> [ - {ssl, required}, + %% note: this is converted to `required' in + %% `conn_opts/2', and there's a boolean guard + %% there; if this is set to `required' here, + %% that'll require changing `conn_opts/2''s guard. + {ssl, true}, {ssl_opts, emqx_tls_lib:to_client_opts(SSL)} ]; false -> diff --git a/changes/v5.0.18/fix-9978.en.md b/changes/v5.0.18/fix-9978.en.md new file mode 100644 index 000000000..6750d136f --- /dev/null +++ b/changes/v5.0.18/fix-9978.en.md @@ -0,0 +1,2 @@ +Fixed configuration issue when choosing to use SSL for a Postgres connection (`authn`, `authz` and bridge). +The connection could fail to complete with a previously working configuration after an upgrade from 5.0.13 to newer EMQX versions. diff --git a/changes/v5.0.18/fix-9978.zh.md b/changes/v5.0.18/fix-9978.zh.md new file mode 100644 index 000000000..75eed3600 --- /dev/null +++ b/changes/v5.0.18/fix-9978.zh.md @@ -0,0 +1,2 @@ +修正了在Postgres连接中选择使用SSL时的配置问题(`authn`, `authz` 和 bridge)。 +从5.0.13升级到较新的EMQX版本后,连接可能无法完成之前的配置。