Change the Postgres Database Password

JFrog Installation & Setup Documentation
Content Type
Installation & Setup

Security best practices require regular, periodic password changes. This section describes how to change the Postgres database password - while maintaining uninterrupted service connection to the database, with no downtime.

For simplicity this topic uses the Artifactory product and a database named artifactory as examples. Perform this general procedure for Xray and other JFrog products and services that use a Postrgres database.

Complete the entire procedure with the same version of the JFrog product.

To update the password for the database user:

  1. Log in to the Postgres server with the existing database user credentials (in our examples: user and pwd_old).

  2. Create a temporary user with full privileges in the artifactory database:

    CREATE USER user_tmp in group artifactory PASSWORD 'pwd_tmp';

  3. For each instance of the Artifactory service that uses this Postgres database, perform the following:

    1. In the database: section of the Artifactory system.yaml file, change the username and password to the temporary credentials you created in the previous step (user_tmp and pwd_tmp).

    2. Restart the service.

    The Artifactory service accesses the database with the temporary credentials.

  4. Query the server for database activity that uses the original JFrog user:

    SELECT count(1) FROM pg_stat_activity
WHERE datname = 'artifactory' AND usename = 'user';

    If there is activity, wait for the connections to finish.

  5. Change the password of the permanent user to its new value:

    ALTER USER user WITH PASSWORD 'new_pwd';

  6. For each instance of the Artifactory service that uses this database, perform the following:

    1. In the database: section of the Artifactory system.yaml file:

      Change the username from user_tmp back to the permanent value user.

      Change the password pwd_tmp to the new_pwd you defined in the previous step.

    2. Restart the service.

    The Artifactory service uses the original user and the new password to access the database.

  7. Query the server for database activity by the temporary user:

    SELECT count(1) FROM pg_stat_activity
WHERE datname = 'artifactory' AND usename = 'user_tmp';

    If there is any activity, wait for the connections to finish.

  8. Remove the temporary artifactory user from the database.

    DROP USER user_tmp;