使用Hashcorp Vault密码更新npgsql池连接
[英]Updating npgsql pool connections with Hashcorp Vault password
问题描述
I am looking into using Hashicorp's Vault software for managing Postgres database passwords utilizing the VaultSharp postgresql secret backend in my C# web service applications. 
我正在研究使用Hashicorp的Vault软件通过C#Web服务应用程序中的VaultSharp postgresql秘密后端管理Postgres数据库密码。
These applications connect to a PostgreSql server using a database pool with persistent connections. 这些应用程序使用具有持久连接的数据库池连接到PostgreSql服务器。
My understanding is that in this setup, Vault will dynamically generate and revoke database usernames and passwords that were provided to my application. 我的理解是,在此设置中,保险柜将动态生成和撤消提供给我的应用程序的数据库用户名和密码。
However what I am not clear on, is there an automated way for my application to dynamically reauthenticate to the database server before the lease expires? 但是我还不清楚,在租约到期之前,我的应用程序是否可以通过自动方式动态地重新验证数据库服务器的身份? Or do I need to manually manage my persistent database connections and manually disconnect / reconnect them before the lease expires? 还是我需要手动管理我的持久数据库连接并在租约到期之前手动断开/重新连接它们?
I'm hoping that this would be a feature in npgsql or a similar database driver that can handle this for me, or if there is a way to reauthenticate with a new username and password on an existing connection. 我希望这将是npgsql或类似数据库驱动程序中的一项功能,可以为我解决此问题,或者希望在现有连接上使用新的用户名和密码重新进行身份验证。
1 个解决方案
解决方案1
0 已采纳 2016-10-29 08:19:36
The PostgreSQL protocol doesn't allow reauthenticating an existing connection - authentication happens only when first opening a connection, in the Startup packet. PostgreSQL协议不允许重新验证现有连接-验证仅在Startup数据包中第一次打开连接时进行。 For more information see the protocol docs . 有关更多信息,请参见协议文档 。 So you're going to have to close your current connection(s) and open new one(s). 因此,您将必须关闭当前连接并打开新连接。
You can force Npgsql to clear all existing idle connections in the pool by calling NpgsqlConnection.ClearPool() or ClearAllPools() . 您可以通过调用NpgsqlConnection.ClearPool()或ClearAllPools()来强制Npgsql清除池中所有现有的空闲连接。 However, this will not affect any connections currently in use in your application - there's no way to close them on the fly (this would cause an exception the next time the connection were used). 但是,这不会影响应用程序中当前正在使用的任何连接-无法即时关闭它们(这将在下次使用该连接时引起异常)。
In theory, it's possible to develop a feature which would "replace" the authentication information for existing connections. 从理论上讲,有可能开发一种功能来“替换”现有连接的身份验证信息。 This would set a flag on all in-use connections that would trigger a transparent close and reconnect the next time the connection is used. 这将在所有使用中的连接上设置一个标志,该标志将触发透明关闭并在下次使用该连接时重新连接。 However, this would be a pretty complicated and error-prone feature. 但是,这将是一个非常复杂且容易出错的功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.