Skip to main content

Secure login to PostgreSQL via bash script

Introduction

In this blog we will generate a PostgreSQL db backup of kong db which is running inside a docker container. We have a bash script which will be running on a host machine but it will execute the pg_dump command inside the docker container. All we need to ensure is we do not expose the password for the user we will be using to generate the db backup.

Steps

The high level steps are documented below:
  • Create a backup_user for the db dump backup
  • Create a .pgpass file for the backup_user
  • Generate a db_dump using the pgpass file

Create a backup_user

Use below commands for the same

Connect to kong docker container 

Use below command to connect to kong container, assuming the container name is 'kong'

docker exec -it kong /bin/bash

Login to PostgreSQL db as admin user

Use below command to connect to postgresql db as admin user for creating a new user for db export. 

psql -d kong -U admin

Create new user

Use the sql query below for the same. Define some strong password as mentioned below.

CREATE USER backup_user WITH PASSWORD '<define some strong password>';

Grant necessary privileges

Provide only limited and necessary permissions for this user. We will be using role based access for this user.

Note : These minimum permissions worked for me. Please see what other permissions are required for your use case.

CREATE ROLE dba;
CREATE USER app_dba WITH PASSWORD '<define some strong password>';
GRANT CONNECT ON DATABASE kong TO dba;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO dba;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO dba;
GRANT dba TO app_dba;
ALTER ROLE app_dba LOGIN;

Check current privileges for the new user

Below query will output the data in table format having below meaning for columns
  • table_catalog : database name
  • table_name : name of the table for which the access is granted
  • privilege_type : what is the permission on the table
The only permission this user should have is SELECT i.e. READ permission so as to generate a db backup.

SELECT table_catalog, table_name, privilege_type FROM information_schema.role_table_grants WHERE grantee = 'backup_user';

Create a .pgpass file for the backup_user

We will store the new user password inside the .pgpass file and this file would be added inside the docker container. Which means the db_dump can only be taken by executing the command inside the docker container of kong i.e. postgres db. 

Create a .pgpass file

vi ~/.pgpass

Add the user permission in the file

Below are the contents of the .pgpass file for the backup_user to connect to pgsql without password. The password below is the password you assigned to the user during creation in the sql script mentioned in the first step.

Format
<hostname>:<port>:<database name>:<username>:<password>

Example
localhost:5432:kong:backup_user:password

Change permission of the .pgpass file

Use below command for the same

chmod 600 ~/.pgpass

Generate db_dump using backup_user

Use below command to generate db_dump from the host machine. The command will execute the db dump command inside the docker container.

docker exec kong-db sh -c "pg_dump --username=backup_user --dbname=kong" > /opt/kong.sql

Summary

In this blog we achieved db backup using .pgpass without exposing the user password in a script. There are other ways to authenticate the db user for exporting the data based on your use case you can choose one. Refer official PostgreSQL documentation for the authentication options.
Labels:

Comments

Post a Comment

Popular posts from this blog

Container detached from docker network

Introduction One fine day you find out that one of your docker containers is running but is not currently attached to the container network that you created using docker network command. Ideally a container should be detached from the network when there is some error in it. However, if you set the restart: on-failure in the docker-compose.yml  in that case the container should restart and still be attached to the network. In such a weird situation follow the steps documented in this blog. Possible reasons Listed below are the possible reasons for this issue Storage space issue Memory issue ( We will cover this in next blog ) Storage space issue We need to check the space utilisation at the server level first then drill down to the docker engine. Server level utilisation In most cases the server is ubuntu system hence check the disk usage using the disk free command (i.e. df -h ). It will show you the current storage space utilisation of the server. df -h Docker engine space utilis...
Post a Comment
Read more

Secure login to MySQL for bash scripts

Introduction In this blog we will connect to a mysql via CLI from a bash script for generating a db dump. A cleaner approach for the same is using mysql config editor. In this blog we are taking an example of a mysql container running inside docker and we have a script for taking a db backup using  mysqldump . We will not use a password as a parameter to  mysqldump  command instead we will use something called as login path. MySQL config editor It is a utility to store authentication credentials in a obfuscated login path file named as  .mylogin.cnf . How to do it ? View existing configurations To view existing configurations if there are any use below command. The command will output existing configurations if there are otherwise it won't print anything. mysql_config_editor print --all Sample output In the output below you can see that the password is obfuscated and is not readable directly. It is handled by the mysql utilities to use this password as per the flags ...
Post a Comment
Read more

How to install Google font on MacOS

Introduction Google fonts are open source. I was reading through the new angular website  and was astonished by the beautiful font used in the code editor shown in the samples. The font name is DM Mono . I wanted to use the same font on my Visual studio code editor for the Angular project development but I could not find a good blog which will guide through the installation process. Hence I am documenting this blog for the same. Get the font Follow below steps to download a font from Google fonts website . Visit the Google fonts website .  Search for the font you like for example DM Mono Click on the Get font button It will download a zip containing ttf format files Install the font on MacOS Once the zip is downloaded in the default downloads folder on your Mac. Follow below steps Double click to uzip the zip Open the folder Ex: DM_Mono Select all files with extension as .ttf and do not select other files like txt or some other format Keeping all the files selected double clic...
Post a Comment
Read more