[Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password

Lazaro Rubén García Martinez lgarciam at vnz.uci.cu
Mon Nov 21 16:53:45 UTC 2011 

I configured pg_hba.conf like this:

#For recovery_user and health_check_user of pgpool
hostssl		postgres	pgpool		10.13.4.201/32				md5 
hostssl		template1	pgpool		10.13.4.201/32				md5

#For sr_check_user of pgpool
hostssl		postgres	sr_pgpool		10.13.4.201/32				trust
hostssl		template1	sr_pgpool		10.13.4.201/32				trust

The postgresql log file shows this error: 

LOG:  connection received: host=10.13.4.201 port=50640
LOG:  could not receive data from client: Connection reset by peer

The pgpoolAdmin tool doesn't  shows the information about master and standby nodes.

Please, I need configure the access from pgpool to postgreSQL through md5 authentication method, or other authentication method different of trust.

Is this possible with Pgpool-II??, because I tested it, in different ways and always these errors are shown.

pgpool.conf is configure like this:

*************************************************************
ssl = on
ssl_key = '/opt/pgpool/ssl/server.key'
ssl_cert = '/opt/pgpool/ssl/server.cert'

sr_check_user = 'sr_pgpool'
sr_check_password = ''

health_check_user = 'pgpool'
health_check_password = 'pgpool'

recovery_user = 'pgpool'
recovery_password = 'pgpool'

************************************************************

Regards and thank you very much for your time.

-----Mensaje original-----
De: Lazaro Rubén García Martinez 
Enviado el: lunes, 21 de noviembre de 2011 10:59
Para: Lazaro Rubén García Martinez; Guillaume Lelarge
CC: pgpool-general at pgfoundry.org
Asunto: RE: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password

Continuing with this thread, I have some doubt about using SSL connections with pgpool and postgreSQL, my pg_hba.conf have this configuration at this moment:

hostssl		postgres	pgpool		10.13.4.201/32				trust
hostssl		template1	pgpool		10.13.4.201/32				trust
hostssl		postgres	sr_pgpool		10.13.4.201/32				trust
hostssl		template1	sr_pgpool		10.13.4.201/32				trust

But in the postgreSQL log file, this error is shows:

LOG:  connection received: host=10.13.4.201 port=50423
LOG:  connection received: host=10.13.4.201 port=50424
LOG:  connection authorized: user=sr_pgpool database=postgres
LOG:  connection authorized: user=sr_pgpool database=postgres
LOG:  statement: SELECT pg_is_in_recovery()
LOG:  statement: SELECT pg_current_xlog_location()
LOG:  disconnection: session time: 0:00:00.092 user=sr_pgpool database=postgres host=10.13.4.201 port=50424
LOG:  disconnection: session time: 0:00:00.096 user=sr_pgpool database=postgres host=10.13.4.201 port=50423
LOG:  connection received: host=10.13.4.201 port=50426
FATAL:  no pg_hba.conf entry for host "10.13.4.201", user "pgpool", database "postgres", SSL off
LOG:  connection received: host=10.13.4.201 port=50428
LOG:  connection authorized: user=sr_pgpool database=postgres
LOG:  statement: SELECT pg_is_in_recovery()
LOG:  disconnection: session time: 0:00:00.048 user=sr_pgpool database=postgres host=10.13.4.201 port=50428
LOG:  connection received: host=10.13.4.201 port=50432
LOG:  connection authorized: user=pgpool database=template1
LOG:  statement: SELECT pg_is_in_recovery()
LOG:  disconnection: session time: 0:00:00.053 user=pgpool database=template1 host=10.13.4.201 port=50432

Why pgpool can connect to the database template1, and not to postgres database?

In what case pgpool connects to database postgres and in what case connects to template1 database?

Regards.

-----Mensaje original-----
De: pgpool-general-bounces at pgfoundry.org [mailto:pgpool-general-bounces at pgfoundry.org] En nombre de Lazaro Rubén García Martinez
Enviado el: domingo, 20 de noviembre de 2011 06:43
Para: Guillaume Lelarge
CC: pgpool-general at pgfoundry.org
Asunto: Re: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password

I am agree with you, but if it is not a bug, what is the purpose for having sr_sheck_password property in pgpool.conf file?.

I think this property can confuse pgpool's users, for this reason I propose -1.

If you understand that this feature should be present in Pgpool 3.2, I will agree with you too.

Regards.
________________________________________
De: Guillaume Lelarge [guillaume at lelarge.info]
Enviado el: domingo, 20 de noviembre de 2011 17:58
Para: Lazaro Rubén García Martinez
CC: Tatsuo Ishii; pgpool-general at pgfoundry.org
Asunto: RE: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password

On Sun, 2011-11-20 at 17:24 -0430, Lazaro Rubén García Martinez wrote:
> I think this feature is very important, because having  trust acces in pg_hba.conf is not a good idea.

I understand that and I agree with you. The problem is not on the
feature itself, but on which release it should be delivered. If the
feature is really urgent to get out there, then we should release 3.2
quickly. We shouldn't put it in 3.1.whatever because 3.1.whatever could
get out before 3.2.

Minor releases shouldn't change behaviour apart from bugfixes. That's an
important part of the trust you can have in a software. If we start to
add features on bugfix releases, many people will stop doing minor
updates on pgpool, afraid of bugs which might be included with new
features. I know I'll do if this will happen, and I won't encourage my
customers to upgrade their pgpool.

So, definite +1 to add this feature to pgpool, +1 to add it to 3.2, -1
to add it as a bugfix in 3.1.1. It definitely is not a bugfix.


--
Guillaume
  http://blog.guillaume.lelarge.info
  http://www.dalibo.com

_______________________________________________
Pgpool-general mailing list
Pgpool-general at pgfoundry.org
http://pgfoundry.org/mailman/listinfo/pgpool-general

More information about the Pgpool-general mailing list