supabase / supavisor

75%

LAST BUILD ON BRANCH main

branch: SELECT

CHANGE BRANCH

x

• No branch selected
• add-instance_id-to-metrics-metadata
• add-location_id-to-global-metadata
• add-mix_audit
• add-sobelow-security-report
• az-test2
• bump-version
• case-insensitive-names
• change-caputre-verbisity-in-tests
• chore/bench-workflow-test
• chore/bump
• chore/bump-poolboy
• chore/bump-to-v2.6.0
• chore/bump-version
• chore/bump-version-2.6.2
• chore/bump-version-2.7.3
• chore/dont-return-queue-genstatem
• chore/improve-metrics-colleciton-o11y
• chore/log-only-once-after-metrics-cleaning
• chore/make-fixes
• chore/more-histogram-resolution
• chore/remove-unused-field
• chore/remove-version-bump-check
• chore/supa_poolboy
• chore/test-upgrade-script
• chore/tool-versions
• chore/update-dependencies
• chore/update-local-postgres-setup
• chore/update-pg_query
• cleanup-credo-issues
• cleanup-metrics-gathering
• cleanup-network-metrics-gathering
• correctly-cleanup-metric-tables
• create-separate-tenant-for-stats-test
• da/fix-compromise
• do-not-delete-metrics-in-syn_handler
• do-not-fix-db-version-in-migrations
• do-not-handle-errors-in-postgres-libcluster-strategy
• do-not-have-time-limit-in-test
• do-not-use-meck-when-testing-metrics-controller
• do-not-verify-tls-cert
• docs/envs-description
• docs/typo-in-readme
• etienne/sec-456-support-password-auth-in-pooler
• etienne/sec-488-support-jit-access-in-supavisor
• even-more-missing-verify_none-options
• fail_fast-in-integration-tests
• feat/accept-gzip
• feat/add-cluster-metrics-plugin
• feat/add-http-api-to-clear-tenant-ban
• feat/add-http-api-to-list-tenants-ban
• feat/add-log-for-slow-pool-checkout
• feat/add-network-bans-api-and-cluster-wide-bans
• feat/better-memory-metrics
• feat/change-user-credentials
• feat/compress-metrics
• feat/configurable-retries
• feat/health-check
• feat/large_heap
• feat/manually-written-appups
• feat/metadb-ipv6
• feat/postgres-errors-on-scram-errors
• feat/prepared-statements-support
• feat/promex-refresh-hot-reload
• feat/proxy_ports
• feat/ranch-instances
• feat/ssl_req_macros
• feat/telemetry-client-connection-age
• feat/use-multicast-instead-of-cast-in-loop
• fix-e2e-case-to-use-transaction-connections
• fix/authn-retry
• fix/backport-directory-check
• fix/cancel
• fix/clear-cache-tenant-creation
• fix/config-logger
• fix/config-regression
• fix/correct-vault-enc-key
• fix/coverage-ignore
• fix/create-schema-before-migrations
• fix/data-race
• fix/db-handler-active-true
• fix/db-handler-terminating-with-error
• fix/dialyzer-and-404-on-metrics
• fix/dont-restart-pool-without-need
• fix/error-and-improve-logs
• fix/fork-promex-phoenix-plugin
• fix/hot-upgrade
• fix/ignore-ready-for-query-when-idle
• fix/integration-test-tag
• fix/ipv6-postgres-topology-strategy
• fix/logflare-backend-conformance
• fix/logger-formatter
• fix/logging
• fix/logs-context
• fix/metrics
• fix/metrics-cleaning
• fix/missing-error-log
• fix/monitor-tcp-socket
• fix/no-warm-pool
• fix/race-condition-tenant-settings-update
• fix/redact
• fix/remove-activation
• fix/revert-gha-bump
• fix/secret-checker-database
• fix/session-query-metrics
• fix/skip-bun-failing
• fix/startup
• fix/startup-order
• fix/stop-db-hadler-on-owner-death
• fix/syn
• fix/tenant-metrics
• fix/tenant-supervisor-child-type
• fix/tests
• fix/use-cached-tenant
• fix/waiting-for-secrets
• fix/websocket-hanging
• fix/zombie-connections
• hauleth/pool-124-connect-coveralls-to-the-supavisor-ci
• ignore-tasks-in-coverage
• ignore-tests-support-in-coverage-report
• ignore-tmp
• infinity-retry
• invalid-search-path-handling-psql-based-tests
• json-log-format
• la/get_tenant_cache
• la/get_user_cache
• la/handle-db-auth-tests
• la/pg_auth_methods
• la/ssl-connection
• la/tenant_controller_tests
• la/tenants_context_tests
• la/use-dbhandler-checkout
• lower-log-level-when-removing-stopped-listener
• main
• ne/libclang
• parallel-coverage-reporting
• patch-1
• plarson/fix-openapi-schema-required-fields
• pooler-127
• pooler-131-update-erlang-otp-to-27
• pooler-132-update-elixir-to-1_18
• pooler-138
• postgres-switching
• prepare-release
• refactor/improve-statems
• refactor/protocol-server-cleanup
• refactor/remove-dead-code
• refactor/rework-errors-add-codes
• refactor/store-encrypted-secrets
• refs/pull/575/merge
• release-v2.4.15
• remaining-peer-verification-setup-in-OTP-27
• remove-commented-out-code
• remove-duplicated-configuration-entry
• remove-unused-module
• rename-host-metadata-field-to-avoid-conflict
• reuse-sessions-when-possible
• run-tests-on-main
• security-token
• submit-dependencies-to-github
• tag-flaky-test
• test/cascade-drop-schema-in-integration-tests
• test/deno-bun
• test/fix-logflare_formatter-flaky-test
• test/integration-test-for-stats-on-other-node
• test/psql-integration
• test/skip-flaky-bun-deno-test
• typo-in-api-schema
• unload-mecked-module
• update-dependencies
• update-erlang-and-elixir
• update-mailmap
• update-runner-image-for-version_updated
• update-rustler
• upgrade-github-actions-node24
• upgrade-github-actions-node24-general
• use-built-in-json-module
• use-iodata-for-metrics
• use-location_id-for-cluster-identification
• use-proper-output-in-mix-tasks
• use-sarif-output-for-credo-report
• v2.7.0

Build # 22145415097

Build Type

push

github

Committed by web-flow

Commit Message

feat: support jit access in supavisor (#725)

## What kind of change does this PR introduce?

Feature

Introduces support for Just-in-time (JIT) access via a Personal Access
Token (PAT) or JWT, which is validated against a remote API. This is
implemented as a separate tenant feature, since it is not a standard
postgres feature. The upstream tenant must also be configured for JIT,
which requires a PAM to be installed and configured in the pg_hba.

With JIT in use, a disconnect happens between what the server expects
for auth (pg_hba.conf) and what `pg_authid` stores for user auth. In
most cases pg_authid will have the credentials saved as scram-sha-256,
but with the use of PAM for authentication, the database uses
`AuthenticationCleartext_password`. For this reason, the Supavisor must
be made aware of the tenants changed auth, and we use a new `use_jit`
configuration value for the tenant. When this is active, the pooler will
use AuthenticationCleartext_password, and support either logging in with
the valid user password (which will be checked against the scram-sha-256
retrieved from pg_authid) or a PAT/JWT that is validated against the
upstream API server configured via `jit_api_url`.

Cached credentials keep working as before, except in the case of the
PAT/JWT, the check is always performed against the upstream API server.
This ensures that any revocation of JIT access is respected, alongside
the expiration/revocation of the auth tokens, something that happens
outside of the database.

## What is the current behavior?

Doesn't support JIT.

## What is the new behavior?

Supports JIT, allowing login with:

JWT:
```
psql 'postgresql://postgres.dev_tenant2:eyJhbGciOiJSUzI1NiIsImtpZCI6IjcyYjY2NjA1IiwidHlwIjoiSldUIn0.eyJhYWwiOiJhYWwyIiwiYW1yIjpbeyJtZXRob2QiOiJ0b3RwIiwidGltZXN0YW1wIjOnt9fQ.XbOq_XWg@localhost:6543/postgres'
```

PAT:
```
psql 'postgresql://postgres.dev_tenant2:sbp_39wBdIEXAMPLESdMIg@localhost:6543/postgres'
```

Password:

```
psql 'postgres... (continued)

Run Details

87 of 102 new or added lines in 7 files covered. (85.29%)

4 existing lines in 3 files now uncovered.

2190 of 2915 relevant lines covered (75.13%)

4241.22 hits per line