[pgpool-committers: 2897] pgpool: Adding the mechanism to authenticate the watchdog IPC commands.

Muhammad Usama m.usama at gmail.com
Sat Dec 26 04:57:30 JST 2015 

Adding the mechanism to authenticate the watchdog IPC commands.

For the authentication purpose, the existing wd_authkey pgpool-II configuration
parameter is used. All clients communicating with pgpool-II watchdog process
needs to provide wd_authkey value for "IPCAuthKey" key in the JSON data of the
command.. Since the IPC is meant for communication between internal pgpool-II
processes and with external processes on the same machine, so instead of
calculating the hash and inventing a more complicated process of IPC
authentication, the simple wd_authkey matching is used to validate the clients.
And when the wd_authkey is not provided by the user in pgpool.conf than the
watchdog IPC authentication is disabled.

The commit also takes care of second related problem in the watchdog IPC system.
Since there are some functions visible over the watchdog IPC channel, we want to
restrict to the outer world. Like for example the interlocking command functions
and node failover related functions. So for these restricted functions, a new
shared key mechanism is created, This random value is initialized by watchdog at
startup and placed in the shared memory
(accessible only to  pgpool-II internal processes), And the execution of all these
restricted functions is only allowed if that shared key value is provided by the
caller in the function's JSON data. Since the shared key value is only visible
to local pgpool-II processes, so the technique ensures that only local pgpool-II
process can execute the restricted functions.

Branch
------
master

Details
-------
http://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=88fdc5f2f2df98b1c6b5e8785924c6a3eabd1aed

Modified Files
--------------
doc/pgpool-en.html                     |  36 +++---
src/auth/pool_auth.c                   |   1 +
src/include/watchdog/wd_ipc_commands.h |   4 +-
src/include/watchdog/wd_ipc_defines.h  |  11 ++
src/include/watchdog/wd_json_data.h    |   5 +-
src/watchdog/watchdog.c                | 207 +++++++++++++++++++++++++++++++--
src/watchdog/wd_commands.c             |  74 +++++++++---
src/watchdog/wd_json_data.c            |  27 ++++-
src/watchdog/wd_lifecheck.c            |   2 +-
9 files changed, 321 insertions(+), 46 deletions(-)

More information about the pgpool-committers mailing list