0%

GSoC 2023: pgagroal vault

Posted on Edited on

Link

pgagroal.

Overview

pgagroal iis a high-performance protocol-native connection pool for PostgreSQL. It also manages authentication for users who try to access the database. Application software does a terrible job of keeping secrets. For example, the password to the database might be hard coded in their source code or written as plain text in the configuration file. Or it might accidentally log the secret to a file or print out as debug info. By implementing a simple vault, we can have the ability to issue a dynamically generated time-limited secret that map to the actual secret (password of the database in our case), and this will prevent leaking the actual secret to users.

Before completing this project, pgagroal had already implemented the frontend_user mode, which supports preconfigured static frontend_password. Users can use this password to access the database, avoiding the exposure of the actual database password. I have implemented periodic rotation of random frontend_password based on this feature.

Contribution

Updated the random password generation function, which now supports all printable ASCII characters. Additionally, for user-friendliness, it avoids generating passwords that start or end with spaces or contain consecutive multiple spaces.

Implemented an event function that periodically generates random passwords for frontend_user.

Added a command-line option to enable vault and related functions. When vault is enabled, pgagroal will listen on the specified port and asynchronously handle requests from vault.

Implemented a multi-process server that supports both HTTP and HTTPS, along with a RESTful-style API. Users can access ‘/users/username’ to acquire a temporary password, and using it to access the database.

Remaining Work

The current version of vault is more like a proof of concept and there is much room for enhancement. If iterations go well, it will eventually become a stand-alone project.
Here are possible directions for improvement:

  1. Support for more configuration options, such as host, port, password length, password change cycle, etc. Vault will ultimately have its own configuration file.
  2. The current vault is forked and executed within pgagroal. In future versions, I plan to modify it to be able to start independently and connect to pgagroal.
  3. Add collection of metrics for vault and monitoring capabilities in Prometheus.
  4. Improve the documentation.

Acknowledgement

I want to express my gratitude to my mentor, Jesper Pedersen, for his tremendous support. Not only did he provide me with encouragement during times of low spirits, but he also imparted a wealth of knowledge in the field of software engineering.