charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon bitnami

[bitnami/postgresql] permission denied for function pg_ls_waldir

Open wroge opened this issue 2 years ago • 26 comments

Name and Version

bitnami/postgres

What architecture are you using?

None

What steps will reproduce the bug?

Error in Postgres container:

permission denied for function pg_ls_waldir

Error in Metrics container:

ts=2023-10-16T09:48:46.558Z caller=collector.go:199 level=error msg="collector failed" name=wal duration_seconds=0.01408122 err="pq: permission denied for function pg_ls_waldir"

Are you using any custom parameters or values?

No response

What is the expected behavior?

This command should be executed in init container by default.

GRANT EXECUTE ON FUNCTION pg_ls_waldir() TO <User>

What do you see instead?

User doesn't have the permission to use the function.

Additional information

No response

wroge avatar Oct 16 '23 11:10 wroge

Hi,

Could you share the values and steps to reproduce the issue?

javsalgar avatar Oct 17 '23 07:10 javsalgar

These are my values, nothing special. The database user (not admin) simply does not have the permission to use the function.

# postgresql
postgresql:
  auth:
    existingSecret: ...
    database: ...
    username: ...
  architecture: standalone
  serviceAccount:
    create: true
    automountServiceAccountToken: false
  tls:
    enabled: true
    autoGenerated: true
  metrics:
    enabled: true
    prometheusRule:
      enabled: false
    serviceMonitor:
      enabled: true
      labels:
        release: prometheus
    resources:
      limits:
        cpu: 300m
        memory: 64Mi
      requests:
        cpu: 1m
        memory: 16Mi
    containerSecurityContext:
      enabled: true
      runAsUser: 1001
      privileged: false
      runAsNonRoot: true
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      seccompProfile:
        type: RuntimeDefault
     ...

wroge avatar Oct 20 '23 16:10 wroge

Hi @wroge,

Thank you for reporting this issue. Although adding permissions for the custom user to execute pg_ls_waldir() would resolve the issue, it is not a good practice to have users with more permissions than necessary.

Instead, I have created an internal task to address this issue by implementing some changes in the chart to create a metrics user with only required permissions to obtain the metrics.

If you would like to contribute to this feature, feel free to send a PR and we will be happy to help with anything needed.

migruiz4 avatar Oct 25 '23 10:10 migruiz4

Upvoting this, all bitnami/postgresql helm charts starting from version 13.0.x > are having this issue

michalwilk96 avatar Nov 10 '23 12:11 michalwilk96

I confirm. The issue exists

thevops avatar Nov 20 '23 11:11 thevops

Quick (and not safe as @migruiz4 wrote) workaround. Execute: GRANT EXECUTE ON FUNCTION pg_ls_waldir TO mycustomuser;

thevops avatar Nov 20 '23 12:11 thevops

@migruiz4 any plans to fix this major issue? As mentioned earlier - all bitnami/postgresql helm charts starting from version 13.0.x > are having this issue. It's blocker, because no one wants to do a workaround with security gap.

michalwilk96 avatar Nov 20 '23 22:11 michalwilk96

this is part of upstream postgres_exporter (https://github.com/prometheus-community/postgres_exporter/pull/858)

There is flag to control the collectors https://github.com/prometheus-community/postgres_exporter#flags :

[no-]collector.wal Enable the wal collector (default: enabled).

jouve avatar Nov 21 '23 12:11 jouve

@jouve for some reason this doesnt work for me. Still seeing those logs.

metrics:
  enabled: true
  collectors:
    wal: false

Chart version: 13.2.14

thedarkside avatar Nov 26 '23 18:11 thedarkside

Oh wow i totally missed that this was a recent change and i was some versions behind. After upgrading to the latest chart it is fixed!

Thank you!

thedarkside avatar Nov 26 '23 18:11 thedarkside

I wanted to try that fix, but I can't revoke access that I previously granted to my user.

I tried: REVOKE EXECUTE ON FUNCTION pg_ls_waldir TO mycustomuser and also REVOKE EXECUTE ON FUNCTION pg_ls_waldir TO public, but both didn't work. Do you know how to revoke this?

thevops avatar Nov 27 '23 09:11 thevops

You have to REVOKE ... FROM

REVOKE EXECUTE ON FUNCTION pg_ls_waldir() FROM mycustomuser;

wroge avatar Nov 27 '23 09:11 wroge

You have to REVOKE ... FROM

REVOKE EXECUTE ON FUNCTION pg_ls_waldir() FROM mycustomuser;

Ah, sorry. I tried also with "FROM" and still my user can run SELECT pg_ls_waldir();

thevops avatar Nov 27 '23 09:11 thevops

It's weird. I had to re-create db. It was test env so nothing lost.

thevops avatar Nov 27 '23 10:11 thevops

I would say that the issue is still there with latest chart and disabled metrics. I haven't tried to delete all databases since they are in use.

Any other suggestions?

str1k3r avatar Dec 07 '23 07:12 str1k3r

GRANT pg_monitor TO readonly_user;

masikrus avatar Dec 13 '23 23:12 masikrus

Hi all! Thank you for providing your workarounds for this bug. Seeing the issue activity I have increased the priority of our internal task related to this ticket. That said, if anyone wants to contribute with a fix feel free to create a PR and the team will gladly review it.

FraPazGal avatar Dec 14 '23 11:12 FraPazGal

since I implemented #21162 , I use this to disable the wal collector:

metrics:
  collectors:
    wal: false

maybe it should be set as a chart default

jouve avatar Dec 14 '23 17:12 jouve

This also needs to be fixed on postgresql-ha chart as well.

cnwaldron avatar Dec 22 '23 19:12 cnwaldron

image i encountered the same problem

kakaNo1 avatar Jan 03 '24 02:01 kakaNo1

same problem on postgresql-ha

ecamper avatar Jan 05 '24 13:01 ecamper

I used ALTER USER postgres_exporter WITH SUPERUSER; and it worked. After that, I also ran GRANT EXECUTE ON FUNCTION pg_ls_waldir() TO postgres_exporter;. Additionally, I learned that pg_monitor is the role that uses pg_ls_waldir, so either the user needs to be a superuser or granted the pg_monitor role.

Astolincres avatar Feb 28 '24 03:02 Astolincres

+1 for this :pray:

meysam81 avatar Apr 05 '24 02:04 meysam81

:+1: +1

hiteshnayak305 avatar Apr 06 '24 10:04 hiteshnayak305

+1 for this 🙏

mike667 avatar May 01 '24 20:05 mike667

since I implemented #21162 , I use this to disable the wal collector:

metrics:
  collectors:
    wal: false

maybe it should be set as a chart default

Don't know why that had not been added to the HA chart version. probably WAL monitoring is required when Posgre is in HA, who knows. As a workaround is to mount the sql sqript inside the postgresql pod and add the permissions.

# ...helm values
extraDeploy:
  - apiVersion: v1
    kind: ConfigMap
    metadata:
      name: pg-initdb-dot-d
    data:
      01-pg_ls_waldir-grant.sql: |
        GRANT EXECUTE ON FUNCTION pg_ls_waldir TO your-user-here;

postgresql:
  extraVolumes:
    - name:  pg-initdb-cm
      configMap:
        name: pg-initdb-dot-d
  extraVolumeMounts:
    - name: pg-initdb-cm
      mountPath: /docker-entrypoint-initdb.d
  extraEnvVars:
    - name: "POSTGRESQL_INITSCRIPTS_USERNAME"
      value: "postgres"
    - name: "POSTGRESQL_INITSCRIPTS_PASSWORD"
      value: "password"

zentavr avatar Aug 23 '24 19:08 zentavr

This was marked solved and it does not solve for "custom" user or in postgresql-ha

Stevenpc3 avatar Apr 28 '25 20:04 Stevenpc3