Skip to content

Add canonical PostgreSQL client parameter sslmode #202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add canonical PostgreSQL client parameter sslmode #202

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
# Changelog

## Unreleased
- Added canonical [PostgreSQL client parameter `sslmode`], implementing
`sslmode=prefer` to connect to SSL-enabled CrateDB instances without
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
`sslmode=prefer` to connect to SSL-enabled CrateDB instances without
`sslmode=require` to connect to SSL-enabled CrateDB instances without

verifying the host name.

[PostgreSQL client parameter `sslmode`]: https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION

## 2025/01/30 0.41.0
- Dependencies: Updated to `crate-2.0.0`, which uses `orjson` for JSON marshalling
Expand Down
6 changes: 5 additions & 1 deletion src/sqlalchemy_cratedb/dialect.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,8 +228,12 @@
servers = to_list(server)
if servers:
use_ssl = asbool(kwargs.pop("ssl", False))
if use_ssl:
# TODO: Switch to the canonical default `sslmode=prefer` later.
sslmode = kwargs.pop("sslmode", "disable")
if use_ssl or sslmode in ["allow", "prefer", "require", "verify-ca", "verify-full"]:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If ssl is explicit disabled, sslmode shouldn't have any effect. At least for bwc imho.

Suggested change
if use_ssl or sslmode in ["allow", "prefer", "require", "verify-ca", "verify-full"]:
if use_ssl and sslmode in ["allow", "prefer", "require", "verify-ca", "verify-full"]:

Copy link
Member Author

@amotl amotl Feb 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The patch is intended to set the stage to transition to PostgreSQL conventions, so sslmode is intended to be handled in parallel / as an alternative to the ssl option parameter, so we can phase it out in the future.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If that is the intention, then we should deprecate ssl in the docs/changes, and clearly state that sslmode has higher precedence and overrides ssl.

Copy link
Member Author

@amotl amotl Feb 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, documentation needs to be added. I will reflect that correspondingly, but did not intend to deprecate the ssl option just yet, maybe just give an outlook about it.

If you think it is the right choice to officially deprecate it, but still keep it just for bwc reasons, sure I can do it timely. I am trying to find out about your opinion on this. Thanks!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least this should be documented as it may not behave as expected.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

imho, it wouldn't make sense to keep 2 different mechanisms in the future, or do you see some value in that?

Copy link
Member Author

@amotl amotl Feb 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. Let's just keep it for bwc purposes until we may remove the previous one, possibly paired with a 1.0.0 release?

servers = ["https://" + server for server in servers]
if sslmode == "require":
kwargs["verify_ssl_cert"] = False

Check warning on line 236 in src/sqlalchemy_cratedb/dialect.py

View check run for this annotation

Codecov / codecov/patch

src/sqlalchemy_cratedb/dialect.py#L236 

Added line #L236 was not covered by tests
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks odd as it disables cert verification even that the user did not intend to do that.
If one need to do that, one can set the arg explicitly, or what do I miss?

Copy link
Member Author

@amotl amotl Feb 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, verify_ssl_cert can not be defined by the user on behalf of the SQLAlchemy connection string. It's the intention of the patch to unlock that, and make connectivity options adhere to PostgreSQL conventions.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, but this will disable cert verification for everyone who uses require. This sounds not like it is what we really want.

Copy link
Member Author

@amotl amotl Feb 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We think sslmode=require is the right option to strictly use an SSL connection, but turn off host name validation on it.

The PostgreSQL docs possibly uses uncommon jargon there, that's why it is sometimes difficult to understand, but of course we may also be wrong on this detail. 1

Please validate and clarify.

Footnotes

  1. We will try to use a better jargon on our docs, but still adhere to the option values PostgreSQL clients are using here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah ok, I understood it wrongly, thanks for the clarification.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would we want to disable hostname validation with sslmode=require ?

Copy link
Member Author

@amotl amotl Feb 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi. It's for the same reasons PostgreSQL and other network clients talking SSL offer the same option in one way or another.

The specific need is originating from cloud operations when connecting to CrateDB/SSL from internal spots within an K8s cluster. @WalBeh can possibly explain it better.

return self.dbapi.connect(servers=servers, **kwargs)
return self.dbapi.connect(**kwargs)
Comment on lines 237 to 238
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When evaluating the patch downstream using sqlalchemy-cratedb==0.42.0.dev2, we found that this connection string syntax, omitting the host name, is not supported yet: crate://?sslmode=require.

Currently, it bails out like this:

TypeError: Connection.__init__() got an unexpected keyword argument 'sslmode'

The reason is, as you can observe above, that two different code paths are used here.


Expand Down