Skip to content

ruby/rails: Adapter supports non-admin users, readme refresh#114

Merged
trstephen-amazon merged 5 commits intomainfrom
trs/ror
May 6, 2025
Merged

ruby/rails: Adapter supports non-admin users, readme refresh#114
trstephen-amazon merged 5 commits intomainfrom
trs/ror

Conversation

@trstephen-amazon
Copy link
Copy Markdown
Collaborator

@trstephen-amazon trstephen-amazon commented May 3, 2025
edited
Loading

Changes

  • Update the adapter to work with non-Admin users. Allows the user to be set with a CLUSTER_USER env var (defaults to 'admin') and will generate an appropriately scoped auth token for the cluster.
  • Rework the readme into:
    • ./README.md: Explains how to use the pg-aws_rds_iam plugin to generate DSQL tokens and necessary dialect updates. Intended audience is someone who has an existing Rails app and wants to know the necessary changes for DSQL.
    • ./petclinic/README.md: How to install the sample Rails app and work with the data model.
  • Select the schema based on CLUSTER_USER

Testing

Used the rails console with my cluster with default (admin) and a non-admin user. Connect and data retrieval OK in both cases:

❯ bin/rails console
Loading development environment (Rails 7.2.2.1)
petclinic(dev)> Owner.all
  Owner Load (1992.5ms)  SELECT "owners".* FROM "owners" /* loading for pp */ LIMIT 11
=> []

For user-based schema selection I 1/ loaded data as non-Admin

❯ bin/rails console
Loading development environment (Rails 7.2.2.1)
petclinic(dev)> Vet.all
  Vet Load (2429.5ms)  SELECT "vets".* FROM "vets" /* loading for pp */ LIMIT 11
=> []
petclinic(dev)> Vet.new(name: "NonAdmin").save
  TRANSACTION (157.3ms)  BEGIN
  Vet Create (258.9ms)  INSERT INTO "vets" ("name", "owner_id", "created_at", "updated_at") VALUES ('NonAdmin', NULL, '2025-05-06 21:37:26.748901', '2025-05-06 21:37:26.748901') RETURNING "id"
  TRANSACTION (130.8ms)  COMMIT
=> true
petclinic(dev)> Vet.all
  Vet Load (106.7ms)  SELECT "vets".* FROM "vets" /* loading for pp */ LIMIT 11
=>
[#<Vet:0x000000012559b688
  id: "d07bf384-c10d-4a84-bafc-f356e1f18432",
  name: "NonAdmin",
  owner_id: nil,
  created_at: "2025-05-06 21:37:26.748901000 +0000",
  updated_at: "2025-05-06 21:37:26.748901000 +0000">]

2/ Switched CLUSTER_USER=admin, loaded more data

petclinic(dev)> Vet.new(name: "Admin").save
  TRANSACTION (96.3ms)  BEGIN
  Vet Create (189.4ms)  INSERT INTO "vets" ("name", "owner_id", "created_at", "updated_at") VALUES ('Admin', NULL, '2025-05-06 21:40:24.084691', '2025-05-06 21:40:24.084691') RETURNING "id"
  TRANSACTION (130.9ms)  COMMIT
=> true

3/ As admin, only the 'Admin' vet is visible

petclinic(dev)> Vet.all
  Vet Load (97.5ms)  SELECT "vets".* FROM "vets" /* loading for pp */ LIMIT 11
=>
[#<Vet:0x000000012303c450
  id: "624e0c82-1454-424d-b021-bde8c2cd8bf6",
  name: "Admin",
  owner_id: nil,
  created_at: "2025-05-06 21:40:24.084691000 +0000",
  updated_at: "2025-05-06 21:40:24.084691000 +0000">]

By submitting this pull request, I confirm that my contribution is made under
the terms of the MIT-0 license.

Thank you for your contribution!

@trstephen-amazon
ruby/rails: Adapter supports non-admin users, readme refresh
18e57b1 
- Update the adapter to work with non-Admin users. Allows the user
  to be set with a CLUSTER_USER env var (defaults to 'admin') and will
  generate an appropriately scoped auth token for the cluster.
- Rework the readme into:
   - ./README.md: Explains how to use the pg-aws_rds_iam plugin to
     generate DSQL tokens and necessary dialect updates. Intended
     audience is someone who has an existing Rails app and wants to
     know the necessary changes for DSQL.
   - ./petclinic/README.md: How to install the sample Rails app and
     work with the data model.
@trstephen-amazon trstephen-amazon requested review from srudeepk and wcmjunior and removed request for srudeepk May 3, 2025 00:18
imforster
imforster reviewed May 5, 2025
View reviewed changes
Comment thread ruby/rails/petclinic/README.md
imforster
imforster reviewed May 5, 2025
View reviewed changes
Comment thread ruby/rails/README.md
imforster
imforster reviewed May 5, 2025
View reviewed changes
Comment thread ruby/rails/README.md Outdated
imforster
imforster reviewed May 5, 2025
View reviewed changes
Comment thread ruby/rails/README.md Outdated
Comment on lines +54 to +57
and for long-lived applications should use one that will refresh automatically: `Aws::AssumeRoleCredentials` or
`Aws::InstanceProfileCredentials` to name a few. The retrieved credentials will need permission to `dsql:DbConnectAdmin`
if using the `admin` role or `dsql:DbConnect` if using a custom role. See Aurora DSQL documentation for
[IAM role connect][docs-dsql-iam] and [authentication token generation][docs-generate-token] for more details.
Copy link
Copy Markdown
Contributor

@imforster imforster May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove if you accept my suggestion

imforster
imforster reviewed May 5, 2025
View reviewed changes
Comment thread ruby/rails/petclinic/config/initializers/adapter.rb
:region => region
})

# e.g. host == "<clusterID>.dsql.us-east-1.on.aws"
Copy link
Copy Markdown
Contributor

@imforster imforster May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# e.g. host == "<clusterID>.dsql.us-east-1.on.aws"
# e.g. host == "<clusterID>.dsql.<region>.on.aws"

Copy link
Copy Markdown
Collaborator Author

@trstephen-amazon trstephen-amazon May 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Disagree here, keeping an actual region in place so it's obvious what the regex is matching against.

imforster
imforster reviewed May 5, 2025
View reviewed changes
Comment thread ruby/rails/README.md
imforster
imforster reviewed May 5, 2025
View reviewed changes
Comment thread ruby/rails/petclinic/README.md Outdated
imforster
imforster reviewed May 5, 2025
View reviewed changes
Comment thread ruby/rails/petclinic/config/initializers/adapter.rb
@trstephen-amazon
Copy link
Copy Markdown
Collaborator Author

trstephen-amazon commented May 5, 2025

I agree with a lot of @imforster 's comments. Will address them in an upcoming commit. I don't want to merge this until I've had a chance to investigate schema selection based on user. It's a standard feature with our other examples.

@trstephen-amazon
Copy link
Copy Markdown
Collaborator Author

trstephen-amazon commented May 6, 2025

Ready for review! Updated the OP to include the user-based schema selection POC

@imforster imforster self-requested a review May 6, 2025 23:05
@trstephen-amazon trstephen-amazon merged commit 11e049c into main May 6, 2025
2 checks passed
@trstephen-amazon trstephen-amazon deleted the trs/ror branch May 6, 2025 23:51
danielfrankcom pushed a commit to marcbowes/aurora-dsql-samples that referenced this pull request May 9, 2025
@lmarcosi
Changed shared credentials to use credential chain (aws-samples#114)
4cb6630 
Co-authored-by: Marcos Lopez <lmarcosi@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wcmjunior wcmjunior Awaiting requested review from wcmjunior

@imforster imforster Awaiting requested review from imforster

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@trstephen-amazon @imforster