Skip to content

feat(pgbouncer): simplify authentication using auth_dbname#8671

Merged
armru merged 5 commits intocloudnative-pg:mainfrom
leonardoce:auth-dbname
Sep 29, 2025
Merged

feat(pgbouncer): simplify authentication using auth_dbname#8671
armru merged 5 commits intocloudnative-pg:mainfrom
leonardoce:auth-dbname

Conversation

@leonardoce
Copy link
Contributor

@leonardoce leonardoce commented Sep 26, 2025
edited by gbartolini
Loading

Previously, authentication was handled by creating a user_search function in every accessible database and granting CONNECT privileges to the PgBouncer auth_user.

This change leverages the auth_dbname option, so PgBouncer runs its authentication queries only against the postgres database.

PgBouncer 1.19+ is required (auth_dbame option needed).

Benefits:

  • simpler reconciliation loop
  • no extra connections required for other databases

Closes: #1383

@leonardoce
feat: use auth_dbname option in PgBouncer
ee90414 
Previously, CloudNativePG configured authentication by creating a
`user_search` function in every accessible database and granting CONNECT
privileges to the PgBouncer auth_user.

This patch simplifies the process by using the `auth_dbname`
configuration option, so that PgBouncer runs its authentication queries
only against the `postgres` database. This results in a simpler
reconciliation loop with no extra connections required for other
databases.

Closes: cloudnative-pg#4939

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
@leonardoce leonardoce requested a review from a team as a code owner September 26, 2025 14:51
@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Sep 26, 2025
@cnpg-bot cnpg-bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.26 release-1.27 labels Sep 26, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Sep 26, 2025

❗ By default, the pull request is configured to backport to all release branches.

  • To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
  • To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

@dosubot dosubot bot added the enhancement 🪄 New feature or request label Sep 26, 2025
@leonardoce leonardoce mentioned this pull request Sep 26, 2025
Closed
@leonardoce
Copy link
Contributor Author

leonardoce commented Sep 26, 2025

/test

@github-actions
Copy link
Contributor

github-actions bot commented Sep 26, 2025

@leonardoce, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18042447414

@gbartolini gbartolini changed the title feat: use auth_dbname option in PgBouncer feat(pgbouncer): simplify authentication using auth_dbname Sep 26, 2025
@gbartolini gbartolini added do not backport This PR must not be backported - it will be in the next minor release and removed backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.26 release-1.27 labels Sep 26, 2025
@cnpg-bot cnpg-bot added the ok to merge 👌 This PR can be merged label Sep 26, 2025
@gbartolini
docs: require pgbouncer 1.19+
0d1bc07 
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
@gbartolini
docs: improved
1ad6cbb 
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Sep 27, 2025
@gbartolini
docs: prepare for custom auth
c7f42c5 
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Sep 27, 2025
@armru
chore: const declaration consistency
53bf116 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru armru merged commit cea3516 into cloudnative-pg:main Sep 29, 2025
30 checks passed
rossigee pushed a commit to rossigee/cloudnative-pg that referenced this pull request Oct 2, 2025
@leonardoce @gbartolini
@armru @rossigee
feat(pgbouncer): simplify authentication using auth_dbname (cloudna…
ebecf10 
…tive-pg#8671)

Previously, authentication was handled by creating a `user_search`
function in every accessible database and granting `CONNECT` privileges
to the PgBouncer `auth_user`.

This change leverages the `auth_dbname` option, so PgBouncer runs its
authentication queries only against the `postgres` database.

PgBouncer 1.19+ is required (`auth_dbame` option needed).

Benefits:

- simpler reconciliation loop
- no extra connections required for other databases

Closes: cloudnative-pg#1383

---------

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Co-authored-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
THE-BRAHMA pushed a commit to THE-BRAHMA/cloudnative-pg that referenced this pull request Oct 30, 2025
@leonardoce @gbartolini
@armru @THE-BRAHMA
feat(pgbouncer): simplify authentication using auth_dbname (cloudna…
a7fb89f 
…tive-pg#8671)

Previously, authentication was handled by creating a `user_search`
function in every accessible database and granting `CONNECT` privileges
to the PgBouncer `auth_user`.

This change leverages the `auth_dbname` option, so PgBouncer runs its
authentication queries only against the `postgres` database.

PgBouncer 1.19+ is required (`auth_dbame` option needed).

Benefits:

- simpler reconciliation loop
- no extra connections required for other databases

Closes: cloudnative-pg#1383

---------

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Co-authored-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Signed-off-by: theBrahma <office.utpal.brahma@gmail.com>
@hyat7
Copy link

hyat7 commented Dec 11, 2025

This should perhaps be documented in release notes as being a Change instead of Enhancement, or something? Maybe I'm just some edge case, but I'm using externalClusters to behave as a read-only replica from a non-CNPG postgres, and then having CNPG Pooler against this CNPG-owned replica. As such, it couldn't automatically add this function to the postgres DB.

It was unclear what the problem was at first, because here is no mention in this new documentation about migration, and the previous documentation said just GRANT CONNECT ON DATABASE { database name here } TO cnpg_pooler_pgbouncer; -- so unless people thought "I'll add this function and privileges to postgres DB for no reason", they'll encounter the same thing.

Thanks!

@dadicarlo dadicarlo mentioned this pull request Jan 19, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gbartolini gbartolini gbartolini approved these changes

@armru armru armru approved these changes

@jsilvela jsilvela Awaiting requested review from jsilvela jsilvela is a code owner

Assignees

No one assigned

Labels

do not backport This PR must not be backported - it will be in the next minor release enhancement 🪄 New feature or request lgtm This PR has been approved by a maintainer ok to merge 👌 This PR can be merged size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Introduce support for auth_dbname in pgbouncer

5 participants

@leonardoce @hyat7 @gbartolini @armru @cnpg-bot