Browse Source

new: [odoo-tecnativa] add support of restricted postgres access

upd
Valentin Lab 4 months ago
parent
commit
946fd58591
  1. 57
      odoo-tecnativa/hooks/postgres_database-relation-joined
  2. 29
      odoo-tecnativa/lib/common
  3. 3
      odoo-tecnativa/metadata.yml
  4. 17
      odoo-tecnativa/resources/opt/odoo/common/entrypoint.d/20-postgres-wait

57
odoo-tecnativa/hooks/postgres_database-relation-joined

@ -41,12 +41,9 @@ services:
PGDATABASE: \"$DBNAME\" PGDATABASE: \"$DBNAME\"
PGPASSWORD: \"$PASSWORD\" PGPASSWORD: \"$PASSWORD\"
PGUSER: \"$USER\" PGUSER: \"$USER\"
#DBFILTER: $DBNAME
ADMIN_PASSWORD: \"$ADMIN_PASSWORD\" ADMIN_PASSWORD: \"$ADMIN_PASSWORD\"
" "
[ "$control" == "$(relation-get control 2>/dev/null)" ] && exit 0
file_put $CONFIG <<EOF file_put $CONFIG <<EOF
[options] [options]
@ -60,6 +57,58 @@ odoo_uid=$(get_odoo_uid)
chown "$odoo_uid" "$CONFIG" && chmod 600 "$CONFIG" chown "$odoo_uid" "$CONFIG" && chmod 600 "$CONFIG"
relation-set control "$control"
if ! out=$(echo "SELECT datname FROM pg_database;" | sql postgres 2>&1); then
warn "Failed to get database list" >&2
printf "%s\n" "$out" | prefix " " >&2
## We don't have access to database list, so...
## if we have a dbfilter set, complain.
if dbfilter=$(options-get dbfilter 2>&1) && [ -n "$dbfilter" ]; then
err "Cannot set ${WHITE}dbfilter${NORMAL} without access to db list"
echo " You don't seem to have access rights on" \
"${DARKYELLOW}$TARGET_SERVICE_NAME${NORMAL} to" \
"the database list" >&2
echo " So you cannot set" \
"${WHITE}dbfilter${NORMAL} option in" \
"${DARKYELLOW}$SERVICE_NAME${NORMAL} options." >&2
exit 1
fi
service_base_image_export_dir \
"$MASTER_BASE_SERVICE_NAME" \
/opt/odoo/custom/src/odoo/odoo/sql_db.py \
"$SERVICE_CONFIGSTORE/odoo-sql_db.py"
chown "$odoo_uid" "$SERVICE_CONFIGSTORE/odoo-sql_db.py"
patch -d "$SERVICE_CONFIGSTORE" -p0 <<EOF
--- odoo-sql_db.py 2024-09-14 20:44:40.540104600 +0200
+++ odoo-sql_db.py 2024-09-14 20:45:39.868394908 +0200
@@ -789,6 +789,9 @@
if _Pool is None:
_Pool = ConnectionPool(int(tools.config['db_maxconn']))
+ if to == 'postgres':
+ to = tools.config['db_name']
+
db, info = connection_info_for(to)
if not allow_uri and db != to:
raise ValueError('URI connections not allowed')
EOF
## We need to force DBFILTER to be empty as odoo-tecnativa image
## will set '.*' by default, which makes odoo switch to a mode
## where it ignores DBNAME.
config-add "\
services:
$MASTER_BASE_SERVICE_NAME:
volumes:
- '$SERVICE_CONFIGSTORE/odoo-sql_db.py:/opt/odoo/custom/src/odoo/odoo/sql_db.py'
environment:
DB_FILTER: ''
"
fi
info "Configured $SERVICE_NAME code for $HOST:$PORT access." info "Configured $SERVICE_NAME code for $HOST:$PORT access."

29
odoo-tecnativa/lib/common

@ -9,3 +9,32 @@ get_odoo_uid() {
info "openerp uid from ${DARKYELLOW}$SERVICE_NAME${NORMAL} is '$odoo_uid'" info "openerp uid from ${DARKYELLOW}$SERVICE_NAME${NORMAL} is '$odoo_uid'"
echo "$odoo_uid" echo "$odoo_uid"
} }
sql() {
local dbname="$1"
(
DBNAME="$(relation:get "$SERVICE_NAME":postgres-database dbname)" || return 1
ts=$(service:traverse "$SERVICE_NAME":"postgres-database") || return 1
export SERVICE_NAME="$ts"
export SERVICE_DATASTORE="$DATASTORE/$SERVICE_NAME"
target_charm=$(get_service_charm "$ts") || return 1
target_charm_path=$(charm.get_dir "$target_charm") || return 1
set +e
. "$target_charm_path/lib/common"
set -e
metadata_service_def=$(_get_service_metadata "$ts") || return 1
type=$(e "$metadata_service_def" | yq -r '.type') || true
if [[ "$type" != "stub" ]]; then
DOCKER_BASE_IMAGE=$(service_ensure_image_ready "$SERVICE_NAME") || return 1
export DOCKER_BASE_IMAGE
ensure_db_docker_running
fi
ddb "${dbname:-$DBNAME}"
)
}

3
odoo-tecnativa/metadata.yml

@ -6,6 +6,9 @@ data-resources:
# ## create/update this file ? # ## create/update this file ?
# # - /etc/odoo-server.conf # # - /etc/odoo-server.conf
charm-resources:
- /opt/odoo/common/entrypoint.d/20-postgres-wait
docker-compose: docker-compose:
command: command:
- odoo - odoo

17
odoo-tecnativa/resources/opt/odoo/common/entrypoint.d/20-postgres-wait

@ -0,0 +1,17 @@
#!/bin/bash
if [ "$WAIT_DB" != true ]; then
log INFO Not waiting for a postgres server
exit 0
fi
log INFO Waiting until postgres is listening at $PGHOST...
while true; do
if [ -n "$PGDATABASE" ]; then
echo "SELECT 1;" | psql "$PGDATABASE"
else
# Assumes that your access level to postgres includes the
# right to list databases
psql -l
fi > /dev/null 2>&1 && break
sleep 1
done
Loading…
Cancel
Save