[Pgpool-general] md5 Authentication problem
Tatsuo Ishii
ishii at sraoss.co.jp
Tue Sep 9 03:57:05 UTC 2008
> > How can we use slave servers witout authenticating them?
> > --
> > Tatsuo Ishii
> > SRA OSS, Inc. Japan
>
> Right good question, there's 2 issues that are not clear for me
>
> 1) pgpool connections to nodes
>
> Right now the postgreSQL servers (slave or master) need to trust pgpool
> connections:
Not really. You can use password (clear password) and ident auth as
well.
> host all all 198.168.10.2/32 trust
> host all all xx.xx.xx.24/32 trust
>
> 198.168.0.1 = pgpool 1 IP
> xx.xx.xx.24 = pgpool 2 IP
>
> Couldn't pgpool II be able to connect to nodes in the cluster with md5 auth
> and keep the connections alive.
No.
> 2) client connections to pgpool
> My comment was more about pool_hba.conf, the auth could then always
> be relayed to the first available master.
Again, auth should be relayed to not only the master but also slaves.
> I currently set enable_pool_hba=false and instead use firewall rules to
> control who can access pgpool.
> But having something like:
> pool_hba=relay (auth sent to first master)
> pool_hba=native (enable_pool_hba=true)
This is interesting but in this case the auth method (pgpool ->
PostgreSQL) should be trust.
> pool_hba=off (enable_pool_hba=false)
>
> Would seem very helpful, but that depends on the use cases out there,
> And the magic 'relay' would probably require a lot of work
>
> Hope that was clear enough and makes sense with the pgpool architecture
--
Tatsuo Ishii
SRA OSS, Inc. Japan
More information about the Pgpool-general
mailing list