PostgreSQL
PostgreSQL is an available database provider which is more powerful and performant than SQLite.
You must provide your own Postgres server which will likely be a separate box from your Posit Connect server (but not required). We currently support any version from 13.x up through 16.x. Your Postgres server does not have to be dedicated to Posit Connect, but it must have its own dedicated database.
Configure the Database.Provider
as postgres
for Posit Connect to use a PostgreSQL database rather than the default SQLite database. The Postgres.URL
setting is the fully-qualified connection URL for your Postgres server.
; /etc/rstudio-connect/rstudio-connect.gcfg
[Database]
Provider = postgres
[Postgres]
URL = "postgres://username:password@db.seed.co/connect"
The user credentials can be included in the Postgres.URL
URL - remember to URL-encode any special characters in the username or password. We recommend using Postgres.Password
to avoid using a bare password in your configuration file. Examples using Postgres.Password
are found in the Passwords section.
Connect does not support the use of IAM instance profiles or other types of machine identity credentials for PostgreSQL or other secrets. While the use of machine identity-based credentials is recommended over storing long-lived encrypted secrets on disk, this pattern weakens the overall security model of Connect because any credentials that are scoped to a VM or container could be accessible to content deployed to Connect and used to retrieve secrets stored in external services or sensitive data written by Connect into the database.
The user credentials supplied in the Postgres.URL
URL must be able to create and alter database tables, in addition to read/write permissions in the database referenced as the path of the URL. A blank database with the given name MUST already exist.
SSL
Posit Connect assumes by default that SSL is enabled on the Postgres server. If SSL is not enabled on your Postgres database, add ?sslmode=disable
to the Postgres.URL
.
Here is an example configuration using a Postgres database with SSL connections:
; /etc/rstudio-connect/rstudio-connect.gcfg
[Database]
Provider = postgres
[Postgres]
URL = "postgres://username:password@db.seed.co/connect"
Here is an example configuration using a Postgres database without SSL connections:
; /etc/rstudio-connect/rstudio-connect.gcfg
[Database]
Provider = postgres
[Postgres]
URL = "postgres://username:password@db.seed.co/connect?sslmode=disable"
Schemas
If you need to, you can tell Connect to restrict itself to keeping its tables within a specific schema. You control this by giving PostgreSQL a search path as part of the URL by adding options=-csearch_path=<schema-name>
to the URL. If it’s the only item you’re adding, separate it from the rest of the URL with ?
(just like the sslmode
item above). Otherwise, separate it from other items with ‘&’.
Here is an example configuration that specifies a schema to use, with SSL:
; /etc/rstudio-connect/rstudio-connect.gcfg
[Database]
Provider = postgres
[Postgres]
URL = "postgres://username:password@db.seed.co/connect?options=-csearch_path=connect_schema"
Here is an example configuration that specifies a schema to use, with SSL disabled:
; /etc/rstudio-connect/rstudio-connect.gcfg
[Database]
Provider = postgres
[Postgres]
URL = "postgres://username:password@db.seed.co/connect?sslmode=disable&options=-csearch_path=connect_schema"
Posit Connect will refuse to start when given a schema that does not already exist. The schema must be owned by the connecting user or by a group that contains the connecting user.
Operational Metrics
Operational metrics generated by Posit Connect can be written to a separate PostgreSQL database. See the Operational Metrics section for details.
By default, instrumentation events will be written to the same database. Use Postgres.InstrumentationURL
to use a separate database.
; /etc/rstudio-connect/rstudio-connect.gcfg
[Postgres]
URL = "postgres://username:password@db.seed.co/connect"
InstrumentationURL = "postgres://username:password@db.seed.co/connect_instrumentation"
Passwords
When your PostgreSQL connection URL requires a password, use Postgres.Password
with an encrypted value to avoid credential leakage. See more about encrypted settings, how to encrypt secrets like passwords, and using them in your configuration file in the Property Types configuration appendix.
We do not recommend embedding passwords directly in the Postgres.URL
connection URL setting.
Posit Connect uses Postgres.Password
when connecting to your PostgreSQL database. Do not percent-encode your Postgres.Password
value. If necessary, Connect will encode your password when it is combined with the Postgres.URL
.
Passwords included directly in Postgres.URL
need to have special characters percent-encoded. The set of characters that must be encoded within the user information component of a URL can be found in Section 3.2.1 of RFC 3986.
Here is a sample configuration using a PostgreSQL connection URL with a username and a separate, encrypted password.
; /etc/rstudio-connect/rstudio-connect.gcfg
[Postgres]
URL = "postgres://username@db.seed.co/connect"
Password = <encrypted, Base64-encoded password value>
The historical database connection URL can also be used with an encrypted password. Use Postgres.InstrumentationPassword
to provide the password associated with the connection URL Postgres.InstrumentationURL
.
Here is a sample configuration that has two separate Postgres URLs; one for the primary database and one for the historical database. Both connection URLs have separate, encrypted passwords.
; /etc/rstudio-connect/rstudio-connect.gcfg
[Postgres]
URL = "postgres://username@db.seed.co/connect"
Password = <encrypted, Base64-encoded password value>
InstrumentationURL = "postgres://username@db.seed.co/connect_instrumentation"
InstrumentationPassword = <encrypted, Base64-encoded password value>
SSL certificate authentication
SSL certificate authentication for the PostgreSQL database can be used with Posit Connect. To use certificate authentication, you must configure your PostgresSQL server for SSL connections and authentication. See the official PostgreSQL Certificate Authentication documentation for more information.
Once your certificates are set up with PostgreSQL, the connection URL needs to include sslcert
, sslkey
, and sslrootcert
parameters.
; /etc/rstudio-connect/rstudio-connect.gcfg
[Postgres]
URL = "postgres://username@db.seed.co/connect?sslcert=/etc/ssl/certs/postgresql/postgresql.crt&sslkey=/etc/ssl/certs/cacert/postgresql/postgresql.key&sslrootcert=/etc/ssl/certs/cacert/postgresql/root.crt"
The cn
(Common Name) attribute of the certificate is compared to the requested database user name in Postgres.URL
, and if they match the login is allowed.
If they don’t match, you can specify a map
in pg_ident.conf
to map cns and usernames, for example:
# pg_ident.conf
posit-connect your-common-name postgres-username
You can then update pg_hba.conf
to reference the map created above:
# pg_hba.conf
hostssl all all 0.0.0.0/0 cert map=posit-connect
For more information, see the PostgreSQL User Name Maps documentation.