Add pg_hba checksum metric

benjaminjb · benjaminjb · commit f0a225f4def4 · 2025-05-06T15:55:37.000-05:00
We want OTel metrics to be as close to parity with
the postgres_exporter solution as possible; so this
PR adds the initial setup and metric query to get
'ccp_pg_hba_checksum', as well as the util function
to mark a pg_hba setting as valid.

Issues: [PGO-2395]
diff --git a/internal/collector/generated/postgres_5m_metrics.json b/internal/collector/generated/postgres_5m_metrics.json
diff --git a/internal/collector/postgres_5m_metrics.yaml b/internal/collector/postgres_5m_metrics.yaml
@@ -140,4 +140,12 @@
         attribute_columns: ["dbname"]
         static_attributes:
           server: "localhost:5432"
-   
+
+  - sql: SELECT monitor.pg_hba_checksum() AS status;
+    metrics:
+      - metric_name: ccp_pg_hba_checksum 
+        value_column: status
+        description: |
+          Value of checksum monitioring status for pg_catalog.pg_settings (postgresql.conf).
+          0 = valid config. 1 = settings changed. 
+          To reset current config to valid after alert, run monitor.pg_settings_checksum_set_valid().
diff --git a/internal/controller/postgrescluster/metrics_setup.sql b/internal/controller/postgrescluster/metrics_setup.sql
@@ -220,3 +220,150 @@ BEGIN
 END;
 $$ LANGUAGE plpgsql;
 
+/*
+ * Tables and functions for monitoring changes to pg_hba_file_rules system catalogs.
+ * Tables allow recording of existing settings so they can be referred back to to see what changed
+ * If checksum function returns 0, then NO settings have changed
+ * If checksum function returns 1, then something has changed since last known valid state
+ * For replicas, logging past settings is not possible to compare what may have changed
+ * For replicas, by default, it is expected that its settings will match the primary
+ * For replicas, if the pg_hba.conf are necessarily different from the primary, a known good hash of that replica's
+    settings can be sent as an argument to the relevant checksum function. Views are provided to easily obtain the hash values used by this monitoring tool.
+ * If any known hash parameters are passed to the checksum function, note that it will override any past hash values stored in the log table when doing comparisons and completely re-evaluate the entire state. This is true even if done on a primary where the current state will then also be logged for comparison if it differs from the given hash.
+ Taken from https://github.com/CrunchyData/pgmonitor/blob/development/postgres_exporter/common
+ */
+
+-- Table used to store the old pg_hba, hash, and set the valid column
+DROP TABLE IF EXISTS monitor.pg_hba_checksum;
+CREATE TABLE monitor.pg_hba_checksum (
+    hba_hash_generated text NOT NULL
+    , hba_hash_known_provided text
+    , hba_string text NOT NULL
+    , created_at timestamptz DEFAULT now() NOT NULL
+    , valid smallint NOT NULL );
+
+COMMENT ON COLUMN monitor.pg_hba_checksum.valid IS 'Set this column to zero if this group of settings is a valid change';
+CREATE INDEX ON monitor.pg_hba_checksum (created_at);
+-- End table that stores pg_hba hash
+
+-- Function used to compare old pg_hba hash and current hash
+DROP FUNCTION IF EXISTS monitor.pg_hba_checksum(text);
+CREATE FUNCTION monitor.pg_hba_checksum(p_known_hba_hash text DEFAULT NULL)
+    RETURNS smallint
+    LANGUAGE plpgsql SECURITY DEFINER
+    SET search_path TO pg_catalog, pg_temp
+AS $function$
+DECLARE
+
+v_hba_hash              text;
+v_hba_hash_old          text;
+v_hba_match             smallint := 0;
+v_hba_string            text;
+v_hba_string_old        text;
+v_is_in_recovery        boolean;
+v_valid                 smallint;
+
+BEGIN
+
+SELECT pg_is_in_recovery() INTO v_is_in_recovery;
+
+IF current_setting('server_version_num')::int >= 100000 THEN
+
+    SELECT sha256_hash
+        , hba_string
+    INTO v_hba_hash
+        , v_hba_string
+    FROM monitor.pg_hba_hash;
+
+ELSE
+    RAISE EXCEPTION 'pg_hba change monitoring unsupported in versions older than PostgreSQL 10';
+END IF;
+
+SELECT  hba_hash_generated, valid
+INTO v_hba_hash_old, v_valid
+FROM monitor.pg_hba_checksum
+ORDER BY created_at DESC LIMIT 1;
+
+IF p_known_hba_hash IS NOT NULL THEN
+    v_hba_hash_old := p_known_hba_hash;
+    -- Do not base validity on the stored value if manual hash is given.
+    v_valid := 0;
+END IF;
+
+IF (v_hba_hash_old IS NOT NULL) THEN
+
+    IF (v_hba_hash != v_hba_hash_old) THEN
+
+        v_valid := 1;
+
+        IF v_is_in_recovery = false THEN
+            INSERT INTO monitor.pg_hba_checksum (
+                    hba_hash_generated
+                    , hba_hash_known_provided
+                    , hba_string
+                    , valid)
+            VALUES (
+                    v_hba_hash
+                    , p_known_hba_hash
+                    , v_hba_string
+                    , v_valid);
+        END IF;
+    END IF;
+
+ELSE
+
+    v_valid := 0;
+    IF v_is_in_recovery = false THEN
+        INSERT INTO monitor.pg_hba_checksum (
+                hba_hash_generated
+                , hba_hash_known_provided
+                , hba_string
+                , valid)
+        VALUES (v_hba_hash
+                , p_known_hba_hash
+                , v_hba_string
+                , v_valid);
+    END IF;
+
+END IF;
+
+RETURN v_valid;
+
+END
+$function$;
+-- End function used to compare hashes
+
+-- View used to create hash of pg_hba
+DROP VIEW IF EXISTS monitor.pg_hba_hash;
+CREATE VIEW monitor.pg_hba_hash AS
+    -- Order by line number so it's caught if no content is changed but the order of entries is changed
+    WITH hba_ordered_list AS (
+        SELECT COALESCE(type, '<<NULL>>') AS type
+            , array_to_string(COALESCE(database, ARRAY['<<NULL>>']), ',') AS database
+            , array_to_string(COALESCE(user_name, ARRAY['<<NULL>>']), ',') AS user_name
+            , COALESCE(address, '<<NULL>>') AS address
+            , COALESCE(netmask, '<<NULL>>') AS netmask
+            , COALESCE(auth_method, '<<NULL>>') AS auth_method
+            , array_to_string(COALESCE(options, ARRAY['<<NULL>>']), ',') AS options
+        FROM pg_catalog.pg_hba_file_rules
+        ORDER BY line_number)
+    SELECT sha256((string_agg(type||database||user_name||address||netmask||auth_method||options, ','))::bytea) AS sha256_hash
+        , string_agg(type||database||user_name||address||netmask||auth_method||options, ',') AS hba_string
+    FROM hba_ordered_list;
+-- End view used to create hash of pg_hba
+
+-- Function used to set pg_hba as valid
+/*
+ * This function provides quick, clear interface for resetting the checksum monitor to treat the currently detected configuration as valid after alerting on a change. Note that configuration history will be cleared.
+ */
+DROP FUNCTION IF EXISTS monitor.pg_hba_checksum_set_valid();
+CREATE FUNCTION monitor.pg_hba_checksum_set_valid() RETURNS smallint
+    LANGUAGE sql
+AS $function$
+
+TRUNCATE monitor.pg_hba_checksum;
+
+SELECT monitor.pg_hba_checksum();
+
+$function$;
+-- End function used to set pg_hba as valid
