Fixing Postgres so that similaritySearchVectorWithScore actually connects via TLS/SSL when specified #1677
Conversation
…archVectorWithScore function actually connects to Postgres via TLS/SSL when specified in the additionalConfig.
| @@ -253,7 +253,8 @@ const similaritySearchVectorWithScore = async ( | |||
| port: postgresConnectionOptions.port, | |||
| user: postgresConnectionOptions.username, | |||
| password: postgresConnectionOptions.password, | |||
| database: postgresConnectionOptions.database | |||
| database: postgresConnectionOptions.database, | |||
| ssl: postgresConnectionOptions.extra?.ssl | |||
There was a problem hiding this comment.
Can we use the ... additionalConfig? Instead of just ssl
There was a problem hiding this comment.
@HenryHengZJ , so additionalConfiguration isn't accessible within the similaritySearchVectorWithScore function, because it was never passed nodeData.
I understand that you're trying to make poolOptions appear similar in function to postgresConnectionOptions, but it is hard to recreate that because the function doesn't have all the inputs it needs to access additionalConfiguration.
I'm open to an alternative solution here, but could you give me a clearer idea of what you're proposing instead?
There was a problem hiding this comment.
One alternative would be to structure the poolOptions declaration like this, instead:
const poolOptions = {
...postgresConnectionOptions,
host: postgresConnectionOptions.host,
port: postgresConnectionOptions.port,
user: postgresConnectionOptions.username,
password: postgresConnectionOptions.password,
database: postgresConnectionOptions.database,
ssl: postgresConnectionOptions.extra?.ssl || postgresConnectionOptions.ssl,
}
^ @HenryHengZJ , does this work for you and satisfy your original intent?
There was a problem hiding this comment.
hmm im not sure if this works, but can we just get rid of the poolOptions and just do const pool = new Pool(postgresConnectionOptions) ? because postgresConnectionOptions already contains all the configs, so we don't have to redeclare the options again with poolOptions
There was a problem hiding this comment.
@HenryHengZJ , sure, but there's one catch with that approach: pg Pool expects all the ssl settings to be nested within the ssl key and not under extra.ssl. Here's some example code that illustrates how to do this:
let postgresConnectionOptions = {
host: 'localhost',
port: 5432,
user: 'youruser',
password: 'yourpassword',
database: 'yourdatabase',
ssl: true,
extra: {
ssl: {
rejectUnauthorized: false,
ca: "<your_self_signed_cert_name>"
}
}
}
if (postgresConnectionOptions.extra?.ssl) {
postgresConnectionOptions.ssl = {
...postgresConnectionOptions.ssl,
...postgresConnectionOptions.extra.ssl
};
delete postgresConnectionOptions.extra;
}
const pool = new Pool(postgresConnectionOptions);
There was a problem hiding this comment.
@HenryHengZJ , that works. To be crystal clear, would the new logic expect additionalConfig to look like:
Keeping the extra field (where we still have to deal with cleaning this up before passing it through to pg):
{
"ssl": true,
"extra": {
"ssl": {
"rejectUnauthorized": false,
"ca": "<your_self_signed_cert_name>"
}
}
}
OR would it look like this, in not keeping the extra field (and we pass it straight through to pg):
{
"ssl": true
}
{
"ssl": {
"rejectUnauthorized": false,
"ca": "<your_self_signed_cert_name>"
}
}
What are you thinking here, @HenryHengZJ ?
There was a problem hiding this comment.
it will be up to user responsibility to add the extra field in the additionalConfig when needed. The SSL thing is tricky, some works with extra, some doesnt, some with boolean, some with cert. So the best way is to let user specify on their own and we just parsed the JSON
There was a problem hiding this comment.
@HenryHengZJ , okay, sounds good. Shall I proceed with the refactor on this PR, then?
All of these changes will be Postgres-specific and not apply to any other vector stores, correct?
There was a problem hiding this comment.
@HenryHengZJ , okay, I'm testing my fix and will update the PR once all tests have passed.
Keep in mind, this change will break any existing Flowise deployments that previously had ssl.extra.ssl settings defined in their additionalConfig. The workaround is to collapse their settings from ssl.extra.ssl to just ssl, accordingly.
You may want to put that guidance in the upcoming release notes, once this PR has been merged. FYI.
… consistency in how every function connects with Postgres in the same manner.
…Pool expects it to be 'user'. Need to populate both to avoid error messages.
…atflows that used TLS/SSL. This will help users remind them to upgrade their corresponding nodes.
|
Okay, @HenryHengZJ , the fixes appear to pass all my local tests -- both upserts and vector search is working correctly with TLS/SSL where I now have the following I did bump the version of this node, because it will help remind users that they need to upgrade their node -- especially if they had TLS/SSL enabled. Again, I'd recommend adding something like the following to the upcoming release nodes that will contain this PR: Postgres Vector Store Changes (v3.0):
Let me know if you have any other comments or questions about these fixes. |
|
yep we definitely need to document it down to the docs page. thanks @dkindlund ! |
Hey @HenryHengZJ, as a follow up to this comment:
#1107 (comment)
The core bug currently is:
additionalConfigsettings (see below)similaritySearchVectorWithScorefunction for comparisons, those connections will fail because the node attempts to connect to the Postgres DB in the clear (not using TLS/SSL) -- even though the settings were specified inadditionalConfigHere's a PR that covers the bugfix for getting the Postgres vectorstore node to actually talk to the DB via TLS/SSL all the time. Previously, if you specified the
additionalConfigof:While those settings were getting correctly used by the
postgresConnectionOptionsfor record upserts, NONE of the TLS/SSL settings were actually getting propagated down to thepoolOptionsparameter in thesimilaritySearchVectorWithScorefunction.This PR fixes that mismatch. I've been testing this for a couple of days now and it seems to work for me. Let me know if you have any additional questions.