Cohesity Cloud Scale Technology Deployment Guide Using Terraform for Microsoft Azure

Last Published:
Product(s): NetBackup & Alta Data Protection (11.0)

Change the PostgreSQL database server password

This section describes on how to change the database password. Using the Azure CLI, you have to first create the Azure CLI container, run the reset password command from that container and then change the password.

Note:

When setting the PostgreSQL password in DBaaS, ensure that the password does not contain the following special characters: equal (=), double quote ("), single quote ('), percentage (%), at sign (@), ampersand (&), question mark (?), underscore (_), and hash (#)

Steps to change password

  1. Launch an Azure CLI pod into the AKS cluster using the following command:

    $ kubectl run az-cli --image=mcr.microsoft.com/azure-cli:2.53.0 --command sleep infinity

    Note:

    Access to Azure Key Vault is restricted to specific subnets. Passwords that are stored in Azure Key Vault can be easily updated from a pod running in AKS.

  2. Using exec, log in into the Azure CLI pod:

    $ kubectl exec -it az-cli -- /bin/ash

  3. From the Azure CLI pod, log in into the Azure account:

    $ az login --scope https://graph.microsoft.com//.default

  4. (Optional step) Create a Key Vault policy to allow the current user to retrieve the database credential. Keep a note of your resource group, key vault, and ID of the current user by using the following respective commands:

    • Resource group name:

      $ RESOURCE_GROUP=<resource_group_name>

    • Key Vault name:

      $ KEY_VAULT_NAME=$(az keyvault list --resource-group $RESOURCE_GROUP --resource-type vault | jq -r '.[].name')

    • Current user ID name:

      $ USER_ID=$(az account show | jq -r '.user.name')

    • Create a Key Vault access policy:

    $ az keyvault set-policy -n $KEY_VAULT_NAME --upn $USER_ID --resource-group $RESOURCE_GROUP --secret-permissions all

  5. Note the log in name for the key vault (DBADMINUSER):

    $ DBADMINUSER=$(az keyvault secret show --vault-name $KEY_VAULT_NAME --name dbadminlogin | jq -r .value)

  6. Note the password for the Key Vault (OLD_DBADMINPASSWORD):

    $ OLD_DBADMINPASSWORD=$(az keyvault secret show --vault-name $KEY_VAULT_NAME --name dbadminpassword | jq -r .value)

  7. Note the server name (DBSERVER):

    DBSERVER=$(az postgres flexible-server list --resource-group $RESOURCE_GROUP | jq -r '.[].name')

  8. To set a new password, follow the steps:

    NEW_DBADMINPASSWORD="<new_password>" az postgres flexible-server execute -p $OLD_DBADMINPASSWORD -u $DBADMINUSER -n $DBSERVER -d postgres -q "ALTER USER\"nbdbadmin\" WITH PASSWORD '$NEW_DBADMINPASSWORD';"

    To re-encrypt the current password without changing it

    az postgres flexible-server execute -p $OLD_DBADMINPASSWORD -u $DBADMINUSER -n $DBSERVER -d postgres -q "ALTER USER\"nbdbadmin\" WITH PASSWORD '$OLD_DBADMINPASSWORD';"

    Note:

    You also have an option to reset the flexible server password using the command. az postgres flexible-server update -g $RESOURCE_GROUP -n $DBSERVER --admin-password <password> This command can be run outside of the Azure CLI (az-cli) container.

  9. To verify if the password uses the correct encryption method (SCRAM-SHA-256), run the command:

    $ az postgres flexible-server execute -p "<new_password>" -u $DBADMINUSER -n $DBSERVER -d postgres -q "SELECT * from azure_roles_authtype();"

    +---------------------------+-----------+
| rolename                  | authtype  |
|---------------------------+-----------|
| azuresu                   | NOLOGIN   |
| pg_database_owner         | NOLOGIN   |
| pg_read_all_data          | NOLOGIN   |
| pg_write_all_data         | NOLOGIN   |
| pg_monitor                | NOLOGIN   |
| pg_read_all_settings      | NOLOGIN   |
| pg_read_all_stats         | NOLOGIN   |
| pg_stat_scan_tables       | NOLOGIN   |
| pg_read_server_files      | NOLOGIN   |
| pg_write_server_files     | NOLOGIN   |
| pg_execute_server_program | NOLOGIN   |
| pg_signal_backend         | NOLOGIN   |
| azure_pg_admin            | NOLOGIN   |
| replication               | NOLOGIN   |
| nbdbadmin                 | SCRAM-256 |
+---------------------------+-----------+
SELECT 15
Time: 0.009s
  10. To store the updated password in the key vault using the command:

    $ az keyvault secret set --vault-name $KEY_VAULT_NAME --name dbadminpassword --value "<new_password>"

  11. (Optional step) To delete the Key Vault access policy that is created in step 4:

    $ az keyvault delete-policy -n $KEYVAULT --upn $USER_ID

  12. To exit from the Azure CLI pod using the command:

    $ exit

  13. To delete the Azure CLI pod using the command:

    $ kubectl delete pod az-cli

  14. To restart the primary pod using the command Applicable only for an existing Veritas Cloud Scale deployment:

    $ kubectl rollout restart "statefulset/${PRIMARY}" --namespace "${NAMESPACE}"

    In the command:

    • NAMESPACE is the namespace containing your NetBackup deployment.

    • PRIMARY is the name of the primary pod's stateful set.

    To obtain the NAMESPACE and PRIMARY, use the command:

    $ kubectl get --namespace "${NAMESPACE}" primaryserver -o jsonpath='{.items[0].status.attributes.resourceName}'

For resetting the password for a containerized PostgreSQL database, refer to the section Changing database server password in DBaaS from the guide. NetBackup™ Deployment Guide for Kubernetes Clusters