[Pgpool-general] authentication problems

Daniel Codina dcodina at laigu.net
Tue Apr 13 12:33:45 UTC 2010 

Thanks again Christophe,

I think I had this mix you talk about with the pool_hba.conf and pg_hba.conf
... anyway,.. now I understand it, and I think it yet does not work. Here I
describe what I do, first a configuration wich works, and then the one I
would like, but that does not work.

1) WORKING CONFIGURATION: (pgpool is in 192.168.1.30)

#cat pool_hba.conf
local   all  all   trust
host    all postgres 192.168.1.30/32 trust

in both backends
#cat pg_hba.conf
local   all  all   trust
host    all postgres 192.168.1.30/32 trust

This configuration works great in all cases. But is clearly insecure.


2) NOT WORKING CONFIGURATION: (pgpool is in 192.168.1.30)
#cat pool_hba.conf
local   all  all   trust
host    all postgres 192.168.1.30/32 trust
host    all postgres 192.168.1.31/32 trust

in both backends
#cat pg_hba.conf
local   all  all   trust
host    all postgres 192.168.1.30/32 password

Replication works fine. Can conect to pgpool and SELECT or INSERT...

When I do:
#pcp_recovery_node -d 5 192.168.1.30 9898 postgres "pass" 1
DEBUG: send: tos="R", len=46
DEBUG: recv: tos="r", len=21, data=AuthenticationOK
DEBUG: send: tos="D", len=6
DEBUG: recv: tos="e", len=20, data=recovery failed
DEBUG: command failed. reason=recovery failed
BackendError
DEBUG: send: tos="X", len=4


And pgpool says:
2010-04-13 12:58:23 DEBUG: pid 3471: pcp_child: start online recovery
2010-04-13 12:58:23 LOG:   pid 3471: starting recovering node 1
2010-04-13 12:58:23 ERROR: pid 3471: start_recover: could not connect master
node.
2010-04-13 12:58:23 DEBUG: pid 3465: starting health checking
2010-04-13 12:58:23 DEBUG: pid 3465: health_check: 0 th DB node status: 1
2010-04-13 12:58:23 DEBUG: pid 3465: health_check: 1 th DB node status: 3
2010-04-13 12:58:23 DEBUG: pid 3471: pcp_child: received PCP packet type of
service 'X'
2010-04-13 12:58:23 DEBUG: pid 3471: pcp_child: client disconnecting. close
connection
2010-04-13 12:58:24 DEBUG: pid 3465: starting health checking
2010-04-13 12:58:24 DEBUG: pid 3465: health_check: 0 th DB node status: 1
2010-04-13 12:58:24 DEBUG: pid 3465: health_check: 1 th DB node status: 3



As I understand, in pool_hba.conf is possible just autenticate with trust or
PAM...
Having it in trust, and leting pg_hba.conf to autenticate with password, it
works fine,... but not with pcp_recovery_node as it is not asking for
password.



2010/4/13 Christophe Philemotte <christophe.philemotte at apreco.be>

> > In my configuration I have enabled the "enable_pool_hba" option, and, in
> > "pool_hba.conf" I have all the IP in trusted authentication mode (it just
> > can be trust, reject or PAM).
> > In my "pg_hba.conf" file, I have those same IPs but, this time, in
> > "password" authernticacion mode.
>
> I think you mix pool_hba and pg_hba fields meaning.
>
> The pool_hba allows you to setup authentication between the client and
> pgpool. And the pg_hba allows you to setup authentication between the
> client and the postgresql, but this time the client could be pgpool.
>
> So, in pg_hba.conf, you have to put IP of your pgpool, not your client
> (except if you want clients could directly connect to your backend).
>
> > That works perfectry in replication, so, connection is perfectrly
> possible.
> It depends on your whole setup. Could you send the files to check them?
>
> > In my pcp.conf I have an md5 password configured.
> >
> > If a node falls and I try:
> > pcp_recovery_node -d 5 pgpool_host port user password 1
> In recovery process, the last step is to remotely start the
> resynchronized backend. Are you sure that the start command is well
> send to it? Is your ssh keys sharing is well setup?
>
> Have you log the actions made by your recovery scripts? It is a good
> information source to debug what exactly happens.
>
> > It drops the message I told...
> > As I understand, the password in the recovery command must be the one
> MD5ed
> > in pcp.conf, isn't it?
> yes, it is.
>
> > which can be or can't be the same in PostgreSQL database?
> It is a password to access to the administration control interface of
> pgpool.  So, it could be whatever you want and setup in pcp.conf.
>
> > or, the password in pcp.conf MUST be the MD5ed PostgreSQL
> > password?
> No, there is no obligation.
>
> regards,
>
> christophe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pgfoundry.org/pipermail/pgpool-general/attachments/20100413/e366f788/attachment.html>

More information about the Pgpool-general mailing list