Comments (8)
@chasers we would like to have this because we have the scenario where we're going to have different clusters with different passwords (we could use the same user and db name to easily manage the aliases) and our intention initially was to register the credentials using supavisor and then any application could just call the proxy passing the some_username.some_tenant
and some key. We thought this would be the password of supavisor db (maybe because on the supavisor docs it's using the same DB for everything).
Another example of the scenario assuming the two tenants below were registered previously using PUT API:
Tenant 1 (id: d866dd5f-f625-47de-af2b-1f6985db539f)
Host: host_2
Port: 54321
User: my_user
Password: tenant1
Database: my_db
Tenant 2 (id: 6bb66a28-be1e-47d6-86e5-5d67fb10b30c)
Host: host_3
Port: 54322
User: my_user
Password: tenant2
Database: my_db
When the some application requests supavisor's proxy we were expecting to have a transparent connection with:
This would point to tenant 1 DB:
psql postgresql://my_user.d866dd5f-f625-47de-af2b-1f6985db539f:<supavisor-db-password>@supavisor_host:7654
This would point to tenant 2 DB:
psql postgresql://my_user.6bb66a28-be1e-47d6-86e5-5d67fb10b30c:<supavisor-db-password>@supavisor_host:7654
<supavisor-db-password>
could be also another global key as you suggested.
Because the tenants above were registered previously on supavisor with its credentials, we could easily retrieve credentials data internally.
from supavisor.
Another simple example based on the architecture of the image below:
Using the example above as a reference, Clients 1, 2, 3, and 4 will need to know the passwords (let's assume these DBs have different passwords) of Databases 1, 2, and 3 to use Supavisor's proxy even though we know Supavisor have these credentials saved internally. Is it clear to you guys? Is this the expected behavior?
Yep, cause otherwise they will be able to connect to all databases. While we consider that they should be able to connect only database for which user knows password. At least as the first usecase.
So what is being discussed here is a feature request really.
from supavisor.
@egor-romanov I noticed you removed the bug label, don't you think this is a problem? Is this the expected behavior?
from supavisor.
After registering a tenant with its credentials using the PUT API I was expecting to use the proxy passing the user prefix, the tenant id and the DB password of supavisor DB
@allyxcristiano thanks! Why exactly would you want this?
Maybe instead of using the metadata db password it would be useful to have some sort of global api key that you use as a the password in the connection string? Then it would authenticate with that and pick the user password from the user record.
from supavisor.
Another simple example based on the architecture of the image below:
Using the example above as a reference, Clients 1, 2, 3, and 4 will need to know the passwords (let's assume these DBs have different passwords) of Databases 1, 2, and 3 to use Supavisor's proxy even though we know Supavisor have these credentials saved internally. Is it clear to you guys? Is this the expected behavior?
from supavisor.
Yep, cause otherwise they will be able to connect to all databases. While we consider that they should be able to connect only database for which user knows password. At least as the first usecase.
So what is being discussed here is a feature request really.
I got it @egor-romanov, this is a valid feature request because supavisor DB already has all this information there. We could have several clients calling the proxy and the routing to the proper DB will be made on Supavisor (as it's today) without the client needing to know any database credentials, the only credential might be a default token to connect to the proxy. Do you guys think would be worth converting this to a feature request or is this something already mapped?
from supavisor.
@allyxcristiano How do you created Bearer token
create tenants.
from supavisor.
@allyxcristiano closing this for now as I think you could do this with an auth_query as long as all your tenant dbs have the same role/passwords in their dbs: https://supabase.github.io/supavisor/connecting/authentication/#authentication-query
from supavisor.
Related Issues (20)
- Isolate tenant's database HOT 1
- Hosted Supavisor closes connection executing query with large result set HOT 1
- Queries on tables that use CITEXT are 4x slower when using Supavisor vs a direct connection to the db HOT 5
- set up a soft upgrade
- Better error when there is no `.` in the username or tenant `reference` in the `options` params HOT 4
- ClientHandler maximum heap size reached with pg_dump HOT 2
- Deploy supavisor for multiple databases HOT 1
- Custom pool implementation with telemetry
- Maybe switch to local pool DbHandler strategy
- Supabase IP Ban Issue with Connection Pooling HOT 6
- Failed to connect using interval private network Postgres
- Revalidate user secrets if Supavisor isn't allowed to connect to the tenant's database
- Supavisor brings down infrastructure after role modification HOT 4
- Handle `Receive query error`
- Extend Helpers.parse_secret/2 to handle nil or empty secrets
- Specify where to get auth token of user to create first tenant HOT 5
- Docs should mention VAULT_ENC_KEY size needs to be 32 chars HOT 3
- LISTEN / NOTIFY appears to be broken after March 26th
- How to config metrics properly HOT 1
- Create a new Bearer Token HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from supavisor.