[Pgpool-general] MD5 authentication in "raw mode"

Tue Nov 25 12:29:39 UTC 2008

Hello,

I'm trying to set up a "warm standy" system using pgpool in raw mode. 
The (two) backends are set up using md5 authentication in pg_hba.conf. 
Connecting to the initial master backend works like a charm. However, 
once failover takes place, the client cannot connect to the second 
backend. It fails with the error message:

"psql: ERROR:  MD5 authentication is unsupported in replication, 
master-slave and parallel modes."

Strange, because pgpool is not running in either replication, 
master-slave or parallel modes:

duco at debian1:/usr/local/etc$ grep '_mode' pgpool.conf
replication_mode = false
# are load balanced.  This is ignored if replication_mode is false.
load_balance_mode = false
master_slave_mode = false
parallel_mode = false

I tried pgpool-II version 1.3.? (as included in Debian), version 2.01 
and version 2.1 (compiled from original source).

What puzzled me was that md5 authenticated session do succeed when 
connecting to the master, while it fails connecting to the failover 
server. I would have expected either both or none succeeding.

Looking at the source (version 2.01), I noticed something strange. The 
error message itself seems to orginate from the following fragment:

***** pool_auth.c:
		if (NUM_BACKENDS > 1)
		{
			pool_send_error_message(frontend, protoMajor, AUTHFAIL_ERRORCODE,
									"MD5 authentication is unsupported in replication, master-slave 
and parallel modes.",
									"",
									"check pg_hba.conf",
									__FILE__, __LINE__);
			return -1;
		}
*****

The error conditions is trigged by "NUM_BACKEND > 1". This seems to me a 
weaker condition than "replication, master_slave or parallel mode" as it 
should be possible to use more than one backend in raw mode, too.

Still it works before failover takes place. To find out why, I searched 
for the definition of NUM_BACKENDS:

***** pool.h:

#define NUM_BACKENDS (in_load_balance? (selected_slot+1) : \
					  (((!REPLICATION && !PARALLEL_MODE) && !MASTER_SLAVE)? 
Req_info->master_node_id+1: \
					   pool_config->backend_desc->num_backends))
*****

This at least explains the difference in results connection to the 
master and the failover server. From what I understand of #define 
NUM_BACKENDS, until failover takes places, NUM_BACKEND == 1 (we are not 
in_load_balance and not in REPLICATION, PARALLEL_MODE or MASTER_SLAVE, 
so NUM_BACKEND == Req_info->master_node + 1 == 0 + 1 == 1). After 
failover, NUM_BACKEND == Req_info->master_node + 1 == 1 + 1 == 2.

These values definitely do not correspond to my intuition with 
"NUM_BACKENDS".

Is this a bug in pgpool-II or am I trying to accomplish something that 
is not possible. I definitely would not like to use plain text passwords 
for authentication, especially because SSL does not seems to be 
supported while connection through pgpool.

Greetings,

Duco