-
Notifications
You must be signed in to change notification settings - Fork 33
How to Manage Static Database Credentials
This runbook describes the process for creating, rotating, and otherwise managing static BFD database credentials, where static describes traditional username+password authentication. This type of authentication is mostly used by external database analysts. This runbook should not be used to manage RDS IAM authentication credentials, which are used by the core BFD team using their EUA with MFA.
- Prerequisites
- Generate a new SCRAM password
- Creating a new static user
- Granting/revoking privileges
- Rotating or resetting passwords
- Extending expiration dates
- Cloud VPN access to the bfd vpn profile
- AWS CLI or AWS Console access to identify RDS endpoints
- Appropriate database privileges to manage users
This section describes how to generate a new SCRAM (one-way hashed password) using a BFD helper script. Ideally, you would have the user run this script and send you the hashed credential. This is the ideal method as it prevents us from ever knowing the user's password, and the hashed part can be sent to us clear text (Slack, etc). However, this is not always possible due to the user's technical ability or local workstation constraints. In these cases, you will need to run the script for them and send them the unhashed password securely (Box, encrypted zip, etc).
Talk to the user and gauge their technical ability and workstation constraints. If they are able to run the script, have them follow the script's README and ask them to send you the hashed part via Slack. If not, run the script for them.
The helper script is currently located in ops/ccs-ops-misc/pg-password-generator and generates two outputs: a hashed password and a clear text password.
The unhashed supersecret password is what you will send if you are running the script, the hashed password is what they will send if they run the script. Again, the unhashed password should be treated as a secret.
- Clone the beneficiary-fhir-db repository
- Navigate to
ops/ccs-ops-misc/pg-password-generator/
- Create a virtual environment and install dependencies
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
- Follow the README instructions to generate a SCRAM password
Until we fully automate db user provisioning, we need to manually create users. For static users, we use the following
naming convention: firstname_lastname
(joe_doe). If there are multiple users with the same name, we will append a digit.
To create a new user (note: in postgres, users, groups, and roles are all the same thing):
- Ensure VPN is up and you have access to the database's writer node
- Download the RDS combined CA bundle (rds-ca-rsa4096-g1 as the time of this writing) from AWS to a location on disk (~/.aws/rds-combined-ca-bundle.pem for example).
- Connect to the database using the
psql
command line tool (or your preferred client)psql -h <writer-node-endpoint> -U <admin-user> -p 5432 --sslmode=verify-full --sslrootcert=<path-to-rds-combined-ca-bundle.pem> fhirdb
- Create the user role with an expiration date matching the user's expected access duration (no more than 60 days)
CREATE ROLE <username> WITH LOGIN PASSWORD '<scram-password>' VALID UNTIL '<expiration-date>';
- Make a note of the expiration date, the user's team, and update the description
ALTER ROLE <username> SET description = '<team-name> <expiration-date>';
User access is locked down by default and managed via role based access (groups in this case). To grant a user access to
a schema, you will need to grant them access to the appropriate group. The two groups used to manage db analysts are
the bfd_analyst_group
and the paca_analyst_group
. Some users may need access to both groups.
To add a user to a group, run the following command(s):
grant bfd_analyst_group to <username>;
grant paca_analyst_group to <username>;
To remove a user from a group, simply replace grant
with revoke
.
revoke bfd_analyst_group from <username>;
revoke paca_analyst_group from <username>;
Rotating or resetting passwords follows the same process as creating a new user. The only difference is that you will need to update the user's password instead of creating a new user. You should also update the user's description with the new expiration date. Start by generating a new SCRAM password (see above) and then run the following commands:
ALTER ROLE <username> WITH LOGIN PASSWORD '<scram-password>' VALID UNTIL '<expiration-date>';
ALTER ROLE <username> SET description = '<team-name> <expiration-date>';
If the user's expiration date in their description is < 60 days, or if otherwise necessary, you can extend their account by running the following command:
ALTER ROLE <username> VALID UNTIL '<new-expiration-date>';
ALTER ROLE <username> SET description = '<team-name> <new-expiration-date>';
If the user's expiration date is > 60 days, follow the Rotating or resetting passwords section above.
- Home
- For BFD Users
- Making Requests to BFD
- API Changelog
- Migrating to V2 FAQ
- Synthetic and Synthea Data
- BFD SAMHSA Filtering