diff --git a/compute_tools/src/config.rs b/compute_tools/src/config.rs index 71c6123c3b..3487b54892 100644 --- a/compute_tools/src/config.rs +++ b/compute_tools/src/config.rs @@ -168,6 +168,22 @@ pub fn write_postgres_conf( writeln!(file, "# Managed by compute_ctl: end")?; } + // Always add pgaudit to shared_preload_libraries. + // + // This is needed to handle the downgrade scenario. + // pgaudit extension once installed + // will not be removed when audit_log_level is set to disabled, + // and it creates event triggers that require library to be loaded. + let mut extra_shared_preload_libraries = String::new(); + let libs = spec + .cluster + .settings + .find("shared_preload_libraries") + .expect("shared_preload_libraries setting is missing in the spec"); + if !libs.contains("pgaudit") { + extra_shared_preload_libraries.push_str(",pgaudit"); + }; + // If base audit logging is enabled, configure it. // In this setup, the audit log will be written to the standard postgresql log. // @@ -177,29 +193,22 @@ pub fn write_postgres_conf( // This way we always override the settings from the spec // and don't allow the user or the control plane admin to change them. match spec.audit_log_level { - ComputeAudit::Disabled => {} + ComputeAudit::Disabled => { + // this is the default, but let's be explicit + writeln!(file, "pgaudit.log='none'")?; + } ComputeAudit::Log | ComputeAudit::Base => { writeln!(file, "# Managed by compute_ctl base audit settings: start")?; writeln!(file, "pgaudit.log='ddl,role'")?; // Disable logging of catalog queries to reduce the noise writeln!(file, "pgaudit.log_catalog=off")?; - if let Some(libs) = spec.cluster.settings.find("shared_preload_libraries") { - let mut extra_shared_preload_libraries = String::new(); - if !libs.contains("pgaudit") { - extra_shared_preload_libraries.push_str(",pgaudit"); - } - writeln!( - file, - "shared_preload_libraries='{}{}'", - libs, extra_shared_preload_libraries - )?; - } else { - // Typically, this should be unreacheable, - // because we always set at least some shared_preload_libraries in the spec - // but let's handle it explicitly anyway. - writeln!(file, "shared_preload_libraries='neon,pgaudit'")?; - } + writeln!( + file, + "shared_preload_libraries='{}{}'", + libs, extra_shared_preload_libraries + )?; + writeln!(file, "# Managed by compute_ctl base audit settings: end")?; } ComputeAudit::Hipaa | ComputeAudit::Extended | ComputeAudit::Full => { @@ -228,28 +237,15 @@ pub fn write_postgres_conf( // The caller who sets the flag is responsible for ensuring that the necessary // shared_preload_libraries are present in the compute image, // otherwise the compute start will fail. - if let Some(libs) = spec.cluster.settings.find("shared_preload_libraries") { - let mut extra_shared_preload_libraries = String::new(); - if !libs.contains("pgaudit") { - extra_shared_preload_libraries.push_str(",pgaudit"); - } - if !libs.contains("pgauditlogtofile") { - extra_shared_preload_libraries.push_str(",pgauditlogtofile"); - } - writeln!( - file, - "shared_preload_libraries='{}{}'", - libs, extra_shared_preload_libraries - )?; - } else { - // Typically, this should be unreacheable, - // because we always set at least some shared_preload_libraries in the spec - // but let's handle it explicitly anyway. - writeln!( - file, - "shared_preload_libraries='neon,pgaudit,pgauditlogtofile'" - )?; + if !libs.contains("pgauditlogtofile") { + extra_shared_preload_libraries.push_str(",pgauditlogtofile"); } + writeln!( + file, + "shared_preload_libraries='{}{}'", + libs, extra_shared_preload_libraries + )?; + writeln!( file, "# Managed by compute_ctl compliance audit settings: end"