Migrate to canonical PostgreSQL client parameter sslmode

[amotl]

Introduction

We need the capability to connect to CrateDB using SSL without verifying the host name.
We also would like to standardize connection parameters to be more like PostgreSQL.

About

This implements sslmode=require to connect to SSL-enabled CrateDB instances without verifying the host name.

• Respect sslmode option #197

Preview

uv pip install 'sqlalchemy-cratedb @ https://github.com/crate/sqlalchemy-cratedb/archive/refs/heads/sslmode.zip'

export SQLALCHEMY_CRATEDB_URL=crate://localhost:4200/?sslmode=require

NB: The environment where you are installing this into needs to have Git installed first, see jwodder/versioningit#106.

References

This miniature rig can be used to validate it manually.

• Docker/Podman: Add basic runnable Docker Compose example for CrateDB+SSL cratedb-examples#825

NB: Please also make yourself heard on this patch and/or acknowledge even when not assigned as reviewers. I am just not doing it because it is not appropriate to slot in more than two of us. /cc @surister, @kneth

[seut]

If ssl is explicit disabled, sslmode shouldn't have any effect. At least for bwc imho.

Suggested change

	if use_ssl or sslmode in ["allow", "prefer", "require", "verify-ca", "verify-full"]:
	if use_ssl and sslmode in ["allow", "prefer", "require", "verify-ca", "verify-full"]:

[amotl]

The patch is intended to set the stage to transition to PostgreSQL conventions, so sslmode is intended to be handled in parallel / as an alternative to the ssl option parameter, so we can phase it out in the future.

[matriv]

If that is the intention, then we should deprecate ssl in the docs/changes, and clearly state that sslmode has higher precedence and overrides ssl.

[amotl]

Yes, documentation needs to be added. I will reflect that correspondingly, but did not intend to deprecate the ssl option just yet, maybe just give an outlook about it.

If you think it is the right choice to officially deprecate it, but still keep it just for bwc reasons, sure I can do it timely. I am trying to find out about your opinion on this. Thanks!

[seut]

At least this should be documented as it may not behave as expected.

[matriv]

imho, it wouldn't make sense to keep 2 different mechanisms in the future, or do you see some value in that?

[amotl]

I agree. Let's just keep it for bwc purposes until we may remove the previous one, possibly paired with a 1.0.0 release?

[amotl]

Hi again. @94492ef improves the change log message, adf9eaa the documentation, b1eb6bf starts emitting a deprecation notice, and ab1b600 starts validating that ensemble.

[seut]

This looks odd as it disables cert verification even that the user did not intend to do that.
If one need to do that, one can set the arg explicitly, or what do I miss?

[amotl]

Currently, verify_ssl_cert can not be defined by the user on behalf of the SQLAlchemy connection string. It's the intention of the patch to unlock that, and make connectivity options adhere to PostgreSQL conventions.

[seut]

Ok, but this will disable cert verification for everyone who uses require. This sounds not like it is what we really want.

[amotl]

We think sslmode=require is the right option to strictly use an SSL connection, but turn off host name validation on it.

The PostgreSQL docs possibly uses uncommon jargon there, that's why it is sometimes difficult to understand, but of course we may also be wrong on this detail. ¹

Please validate and clarify.

Footnotes

1. We will try to use a better jargon on our docs, but still adhere to the option values PostgreSQL clients are using here. ↩

[seut]

Ah ok, I understood it wrongly, thanks for the clarification.

[mfussenegger]

Why would we want to disable hostname validation with sslmode=require ?

[amotl]

Hi. It's for the same reasons PostgreSQL and other network clients talking SSL offer the same option in one way or another, to enable connectivity (e.g. for debugging purposes) even when the hostname does not match the certificate name.

The specific need is originating from cloud operations when connecting to CrateDB/SSL from internal spots within a K8s cluster using port-forwarding mechanisms, which is business as usual for @WalBeh and @goat-ssh.

That this mode, to disable hostname validation, is called sslmode=require in PostgreSQL jargon is unfortunate, but not my fault. The stronger variants are called verify-ca and verify-full.

[amotl]

Hi again. I've changed the implementation with d93e3f2: It is now using the SSLMode class from asyncpg to wrap away the topic domain of sslmode-parameter parsing, so what's left is much cleaner and easier to follow. As an additional benefit, parsing the parameter becomes more robust, because the code now also fails on invalid values like other PostgreSQL clients are doing it.

sqlalchemy-cratedb/src/sqlalchemy_cratedb/dialect.py

Lines 243 to 260 in d93e3f2

	# Process new SSL option `sslmode`.
	# Please consult https://www.postgresql.org/docs/18/libpq-connect.html.
	if "sslmode" in kwargs:
	try:
	sslmode = SSLMode.parse(kwargs.pop("sslmode"))
	except AttributeError as exc:
	modes = ", ".join(SSLMode.modes)
	raise SQLAlchemyError(
	"`sslmode` parameter must be one of: {}".format(modes)
	) from exc
	if sslmode < SSLMode.allow:
	use_ssl = False
	else:
	use_ssl = True
	if sslmode >= SSLMode.verify_ca:
	kwargs["verify_ssl_cert"] = True
	else:
	kwargs["verify_ssl_cert"] = False

[amotl]

When evaluating the patch downstream using sqlalchemy-cratedb==0.42.0.dev2, we found that this connection string syntax, omitting the host name, is not supported yet: crate://?sslmode=require.

Currently, it bails out like this:

TypeError: Connection.__init__() got an unexpected keyword argument 'sslmode'

The reason is, as you can observe above, that two different code paths are used here.

[amotl]

This spot has been improved with 9c54f7c, so that crate://?sslmode=require also works as intended.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sslmode

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amotl]

This evaluation of the new sslmode parameter does not check for invalid values yet, like other PostgreSQL clients are doing it. For improving compatibility and interoperability of this patch, the evaluation should do the same.

$ psql "postgresql://postgres@localhost:5432?sslmode=foo"
psql: error: invalid sslmode value: "foo"

>>> import psycopg
>>> psycopg.connect("postgresql://postgres@localhost:5432?sslmode=foo")
Traceback (most recent call last):
  File "<python-input-1>", line 1, in <module>
    psycopg.connect("postgresql://postgres@localhost:5432?sslmode=foo")
    ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/path/to/lib/python3.13/site-packages/psycopg/connection.py", line 130, in connect
    raise new_ex.with_traceback(None)
psycopg.OperationalError: connection is bad: invalid sslmode value: "foo"
Multiple connection attempts failed. All failures were:
- host: 'localhost', port: '5432', hostaddr: '::1': connection is bad: invalid sslmode value: "foo"
- host: 'localhost', port: '5432', hostaddr: '127.0.0.1': connection is bad: invalid sslmode value: "foo"

>>> import asyncpg
>>> import asyncio
>>> asyncio.run(asyncpg.connect("postgresql://postgres@localhost:5432?sslmode=foo"))
  File "/path/to/lib/python3.13/site-packages/asyncpg/connect_utils.py", line 685, in _parse_connect_dsn_and_args
    raise exceptions.ClientConfigurationError(
        '`sslmode` parameter must be one of: {}'.format(modes)
    ) from None
asyncpg.exceptions._base.ClientConfigurationError: `sslmode` parameter must be one of: disable, allow, prefer, require, verify-ca, verify-full

[amotl]

d93e3f2 improves the situation by inheriting fragments of parameter parsing and error handling from asyncpg.