Move NEON_AUTH_TOKEN to a builtin GUC

tristan957 · tristan957 · commit 7cd28958ecd6 · 2025-12-01T19:20:56.000-06:00
This environment variable is used as the password to connect to another
postgres instance as the walreceiver. The purpose of moving to a GUC is
so that we can reload the storage auth token periodically.

Signed-off-by: Tristan Partin &lt;tristan.partin@databricks.com&gt;
diff --git a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
@@ -136,7 +136,6 @@ libpqrcv_connect(const char *conninfo, bool logical, bool must_use_password,
 /* BEGIN_NEON */
 	const char *keys[7];
 	const char *vals[7];
-	char * neon_auth_token = NULL;
 /* END_NEON */
 	int			i = 0;
 
@@ -159,16 +158,14 @@ libpqrcv_connect(const char *conninfo, bool logical, bool must_use_password,
 /* BEGIN_NEON */
 	if (pg_strcasecmp(appname, "walreceiver") == 0)
 	{
-		neon_auth_token = getenv("NEON_AUTH_TOKEN");
-		if (neon_auth_token != NULL)
+		if (neon_storage_auth_token[0] != '\0')
 		{
-			elog(LOG, "Use NEON_AUTH_TOKEN to connect");
 			keys[++i] = "password";
-			vals[i] = neon_auth_token;
+			vals[i] = neon_storage_auth_token;
 		}
 		else
 		{
-			elog(LOG, "NEON_AUTH_TOKEN is undefined in the environment");
+			elog(LOG, "no storage authentication token set");
 		}
 	}
 /* END_NEON */
diff --git a/src/backend/replication/walreceiver.c b/src/backend/replication/walreceiver.c
@@ -90,6 +90,7 @@
 int			wal_receiver_status_interval;
 int			wal_receiver_timeout;
 bool		hot_standby_feedback;
+char	   *neon_storage_auth_token;
 
 /* libpqwalreceiver connection */
 static WalReceiverConn *wrconn = NULL;
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
@@ -66,6 +66,7 @@
 #include "replication/logicallauncher.h"
 #include "replication/slot.h"
 #include "replication/syncrep.h"
+#include "replication/walreceiver.h"
 #include "storage/bufmgr.h"
 #include "storage/large_object.h"
 #include "storage/pg_shmem.h"
@@ -4639,6 +4640,18 @@ struct config_string ConfigureNamesString[] =
 		check_restrict_nonsystem_relation_kind, assign_restrict_nonsystem_relation_kind, NULL
 	},
 
+
+	{
+		{"neon_storage_auth_token", PGC_SUSET, REPLICATION_STANDBY,
+			"Authentication token for Neon storage",
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&neon_storage_auth_token,
+		"",
+		NULL, NULL, NULL
+	},
+
 	/* End-of-list marker */
 	{
 		{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL, NULL
diff --git a/src/include/replication/walreceiver.h b/src/include/replication/walreceiver.h
@@ -30,6 +30,7 @@
 extern PGDLLIMPORT int wal_receiver_status_interval;
 extern PGDLLIMPORT int wal_receiver_timeout;
 extern PGDLLIMPORT bool hot_standby_feedback;
+extern PGDLLIMPORT char *neon_storage_auth_token;
 
 /*
  * MAXCONNINFO: maximum size of a connection string.

Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,6 @@ libpqrcv_connect(const char *conninfo, bool logical, bool must_use_password,`
`136`	`136`	`/* BEGIN_NEON */`
`137`	`137`	`const char *keys[7];`
`138`	`138`	`const char *vals[7];`
`139`		`- char * neon_auth_token = NULL;`
`140`	`139`	`/* END_NEON */`
`141`	`140`	`int i = 0;`
`142`	`141`
`@@ -159,16 +158,14 @@ libpqrcv_connect(const char *conninfo, bool logical, bool must_use_password,`
`159`	`158`	`/* BEGIN_NEON */`
`160`	`159`	`if (pg_strcasecmp(appname, "walreceiver") == 0)`
`161`	`160`	`{`
`162`		`- neon_auth_token = getenv("NEON_AUTH_TOKEN");`
`163`		`- if (neon_auth_token != NULL)`
	`161`	`+ if (neon_storage_auth_token[0] != '\0')`
`164`	`162`	`{`
`165`		`- elog(LOG, "Use NEON_AUTH_TOKEN to connect");`
`166`	`163`	`keys[++i] = "password";`
`167`		`- vals[i] = neon_auth_token;`
	`164`	`+ vals[i] = neon_storage_auth_token;`
`168`	`165`	`}`
`169`	`166`	`else`
`170`	`167`	`{`
`171`		`- elog(LOG, "NEON_AUTH_TOKEN is undefined in the environment");`
	`168`	`+ elog(LOG, "no storage authentication token set");`
`172`	`169`	`}`
`173`	`170`	`}`
`174`	`171`	`/* END_NEON */`