Page MenuHomePhabricator
Create Task
Maniphest T391348

airflow: Restrict the rights for airflow deployers to destroy postgresql clusters
Closed, ResolvedPublic
Actions

Description

We recently had an incident whereby an engineer accidentally deleted the postgresql cluster supporting an airflow instance by using helmfile.

For context, each airflow instance comprises two deployments into the same namespace:

  • Airflow, which is stateless
  • A PostgreSQL cluster, which is stateful

Currently, members of the deployers group have the rights to deploy and delete both of these components to the namespace.

However, deleting the PostgreSQL cluster will require either of the following situations in order to bring it back:

  • a freshly created, empty, database
  • the use of the backup and recovery system to restore the last known base backup and WAL replay

With our current setup, this could mean data loss of up to 5 minutes, since that is our current WAL backup schedule.

This ticket is about asking the question about whether or not we have the balance correct between convenience and security.

  • Should we limit the operations on the postgresql clusters to SREs?
  • If so, how? What mechanisms would be at our disposal to achieve a level of database availability with which we are comfortable?

Are there any other recommendations that we can make to improve the disaster recovery preparedness for PostgreSQL clusters?

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
airflow: separate postgresql and airflow helmfilesoperations/deployment-chartsmaster+432 -113
deployment_server: provision dedicated kubeconfigs for airflow PGsoperations/puppetproduction+48 -0
airflow-analytics-test: split the airflow and postgresql deploymentsoperations/deployment-chartsmaster+54 -15
deployment_server: provision separate kubeconfig files for the airflow PG DBsoperations/puppetproduction+6 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

BTullis created this task.Apr 8 2025, 1:18 PM
bking subscribed.Apr 8 2025, 1:23 PM
Gehel triaged this task as High priority.Apr 8 2025, 2:08 PM
Gehel moved this task from Incoming to Scratch on the Data-Platform-SRE board.
Gehel edited projects, added Data-Platform-SRE (2025.03.22 - 2025.04.11); removed Data-Platform-SRE.Apr 8 2025, 2:15 PM
Gehel moved this task from Backlog - project to Backlog - operations on the Data-Platform-SRE (2025.03.22 - 2025.04.11) board.
BTullis removed BTullis as the assignee of this task.Apr 8 2025, 3:12 PM
Gehel edited projects, added Data-Platform-SRE (2025.04.12 - 2025.05.02); removed Data-Platform-SRE (2025.03.22 - 2025.04.11).Apr 11 2025, 1:14 PM
Gehel moved this task from Backlog - project to Backlog - operations on the Data-Platform-SRE (2025.04.12 - 2025.05.02) board.
brouberol claimed this task.Apr 24 2025, 1:08 PM
gerritbot added a comment.Apr 24 2025, 1:08 PM

Change #1138748 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] deployment_server: provision separate kubeconfig files for the airflow PG DBs

https://gerrit.wikimedia.org/r/1138748

brouberol moved this task from Backlog - operations to In Progress on the Data-Platform-SRE (2025.04.12 - 2025.05.02) board.Apr 24 2025, 1:08 PM
gerritbot added a project: Patch-For-Review.Apr 24 2025, 1:08 PM
brouberol changed the task status from Open to In Progress.Apr 24 2025, 1:08 PM
gerritbot added a comment.Apr 24 2025, 3:11 PM

Change #1138748 merged by Brouberol:

[operations/puppet@production] deployment_server: provision separate kubeconfig files for the airflow PG DBs

https://gerrit.wikimedia.org/r/1138748

Maintenance_bot removed a project: Patch-For-Review.Apr 24 2025, 3:31 PM
gerritbot added a comment.Apr 24 2025, 3:46 PM

Change #1138827 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] airflow-analytics-test: split the airflow and postgresql deployments

https://gerrit.wikimedia.org/r/1138827

gerritbot added a project: Patch-For-Review.Apr 24 2025, 3:46 PM
gerritbot added a comment.Apr 25 2025, 1:06 PM

Change #1138827 merged by Brouberol:

[operations/deployment-charts@master] airflow-analytics-test: split the airflow and postgresql deployments

https://gerrit.wikimedia.org/r/1138827

Maintenance_bot removed a project: Patch-For-Review.Apr 25 2025, 1:30 PM
gerritbot added a comment.Apr 29 2025, 6:32 AM

Change #1139657 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] airflow: separate postgresql and airflow helmfiles

https://gerrit.wikimedia.org/r/1139657

gerritbot added a project: Patch-For-Review.Apr 29 2025, 6:32 AM

Change #1139659 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] deployment_server: provision dedicated kubeconfigs for airflow PGs

https://gerrit.wikimedia.org/r/1139659

brouberol moved this task from In Progress to Needs Review on the Data-Platform-SRE (2025.04.12 - 2025.05.02) board.Apr 29 2025, 6:33 AM
gerritbot added a comment.Apr 29 2025, 7:42 AM

Change #1139659 merged by Brouberol:

[operations/puppet@production] deployment_server: provision dedicated kubeconfigs for airflow PGs

https://gerrit.wikimedia.org/r/1139659

gerritbot added a comment.Apr 29 2025, 8:08 AM

Change #1139657 merged by Brouberol:

[operations/deployment-charts@master] airflow: separate postgresql and airflow helmfiles

https://gerrit.wikimedia.org/r/1139657

brouberol closed this task as Resolved.Apr 29 2025, 8:25 AM
brouberol moved this task from Needs Review to Done on the Data-Platform-SRE (2025.04.12 - 2025.05.02) board.
Maintenance_bot removed a project: Patch-For-Review.Apr 29 2025, 8:30 AM
BTullis renamed this task from airflow: Consider restricting the rights for airflow deployers to destroy postgresql clusters to airflow: Restrict the rights for airflow deployers to destroy postgresql clusters.May 1 2025, 3:49 PM
BTullis moved this task from Done to Reported on the Data-Platform-SRE (2025.04.12 - 2025.05.02) board.May 1 2025, 4:25 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits