[Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password

Lazaro Rubén García Martinez lgarciam at vnz.uci.cu
Tue Nov 22 02:13:34 UTC 2011 

Tatsuo, thank you very much for the answer. I only have one question:

Is there any estimated date for release PGPool-II 3.2?

Regards.

-----Mensaje original-----
De: Tatsuo Ishii [mailto:ishii at sraoss.co.jp] 
Enviado el: lunes, 21 de noviembre de 2011 09:24
Para: Lazaro Rubén García Martinez
CC: guillaume at lelarge.info; pgpool-general at pgfoundry.org
Asunto: Re: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password

I have checked pgpool-II 3.1 code and found that my explanation was wrong.

1) sr_check_user and sr_check_password are working fine with 3.1 even
   with md5 auth.

2) health_check_password is ignored in 3.1. So you can not use other
   trust with health_check_user.

For #2, it seems a fix to recognize health_check_password will break
backward compatibility. Because 3.1 code uses V2 protocol (used by 7.3
or before). To enable md5 auth, I need to replace it by using
make_persistent_db_connection(), which handles V3 protocol only. So it
seems there's no hope to recognize health_check_password in 3.1.x.

3.2 will allow to use md5 auth with health_check_password for price
of discontinuing support for V2 protocol.

BTW, problem with SSL is totally different story. It seems someone
forgot to allow to use SSL with health checking and
make_persistent_db_connection()...
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese: http://www.sraoss.co.jp

> I configured pg_hba.conf like this:
> 
> #For recovery_user and health_check_user of pgpool
> hostssl		postgres	pgpool		10.13.4.201/32				md5 
> hostssl		template1	pgpool		10.13.4.201/32				md5
> 
> #For sr_check_user of pgpool
> hostssl		postgres	sr_pgpool		10.13.4.201/32				trust
> hostssl		template1	sr_pgpool		10.13.4.201/32				trust
> 
> The postgresql log file shows this error: 
> 
> LOG:  connection received: host=10.13.4.201 port=50640
> LOG:  could not receive data from client: Connection reset by peer
> 
> The pgpoolAdmin tool doesn't  shows the information about master and standby nodes.
> 
> Please, I need configure the access from pgpool to postgreSQL through md5 authentication method, or other authentication method different of trust.
> 
> Is this possible with Pgpool-II??, because I tested it, in different ways and always these errors are shown.
> 
> pgpool.conf is configure like this:
> 
> *************************************************************
> ssl = on
> ssl_key = '/opt/pgpool/ssl/server.key'
> ssl_cert = '/opt/pgpool/ssl/server.cert'
> 
> sr_check_user = 'sr_pgpool'
> sr_check_password = ''
> 
> health_check_user = 'pgpool'
> health_check_password = 'pgpool'
> 
> recovery_user = 'pgpool'
> recovery_password = 'pgpool'
> 
> ************************************************************
> 
> Regards and thank you very much for your time.
> 
> -----Mensaje original-----
> De: Lazaro Rubén García Martinez 
> Enviado el: lunes, 21 de noviembre de 2011 10:59
> Para: Lazaro Rubén García Martinez; Guillaume Lelarge
> CC: pgpool-general at pgfoundry.org
> Asunto: RE: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password
> 
> Continuing with this thread, I have some doubt about using SSL connections with pgpool and postgreSQL, my pg_hba.conf have this configuration at this moment:
> 
> hostssl		postgres	pgpool		10.13.4.201/32				trust
> hostssl		template1	pgpool		10.13.4.201/32				trust
> hostssl		postgres	sr_pgpool		10.13.4.201/32				trust
> hostssl		template1	sr_pgpool		10.13.4.201/32				trust
> 
> But in the postgreSQL log file, this error is shows:
> 
> LOG:  connection received: host=10.13.4.201 port=50423
> LOG:  connection received: host=10.13.4.201 port=50424
> LOG:  connection authorized: user=sr_pgpool database=postgres
> LOG:  connection authorized: user=sr_pgpool database=postgres
> LOG:  statement: SELECT pg_is_in_recovery()
> LOG:  statement: SELECT pg_current_xlog_location()
> LOG:  disconnection: session time: 0:00:00.092 user=sr_pgpool database=postgres host=10.13.4.201 port=50424
> LOG:  disconnection: session time: 0:00:00.096 user=sr_pgpool database=postgres host=10.13.4.201 port=50423
> LOG:  connection received: host=10.13.4.201 port=50426
> FATAL:  no pg_hba.conf entry for host "10.13.4.201", user "pgpool", database "postgres", SSL off
> LOG:  connection received: host=10.13.4.201 port=50428
> LOG:  connection authorized: user=sr_pgpool database=postgres
> LOG:  statement: SELECT pg_is_in_recovery()
> LOG:  disconnection: session time: 0:00:00.048 user=sr_pgpool database=postgres host=10.13.4.201 port=50428
> LOG:  connection received: host=10.13.4.201 port=50432
> LOG:  connection authorized: user=pgpool database=template1
> LOG:  statement: SELECT pg_is_in_recovery()
> LOG:  disconnection: session time: 0:00:00.053 user=pgpool database=template1 host=10.13.4.201 port=50432
> 
> Why pgpool can connect to the database template1, and not to postgres database?
> 
> In what case pgpool connects to database postgres and in what case connects to template1 database?
> 
> Regards.
> 
> -----Mensaje original-----
> De: pgpool-general-bounces at pgfoundry.org [mailto:pgpool-general-bounces at pgfoundry.org] En nombre de Lazaro Rubén García Martinez
> Enviado el: domingo, 20 de noviembre de 2011 06:43
> Para: Guillaume Lelarge
> CC: pgpool-general at pgfoundry.org
> Asunto: Re: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password
> 
> I am agree with you, but if it is not a bug, what is the purpose for having sr_sheck_password property in pgpool.conf file?.
> 
> I think this property can confuse pgpool's users, for this reason I propose -1.
> 
> If you understand that this feature should be present in Pgpool 3.2, I will agree with you too.
> 
> Regards.
> ________________________________________
> De: Guillaume Lelarge [guillaume at lelarge.info]
> Enviado el: domingo, 20 de noviembre de 2011 17:58
> Para: Lazaro Rubén García Martinez
> CC: Tatsuo Ishii; pgpool-general at pgfoundry.org
> Asunto: RE: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password
> 
> On Sun, 2011-11-20 at 17:24 -0430, Lazaro Rubén García Martinez wrote:
>> I think this feature is very important, because having  trust acces in pg_hba.conf is not a good idea.
> 
> I understand that and I agree with you. The problem is not on the
> feature itself, but on which release it should be delivered. If the
> feature is really urgent to get out there, then we should release 3.2
> quickly. We shouldn't put it in 3.1.whatever because 3.1.whatever could
> get out before 3.2.
> 
> Minor releases shouldn't change behaviour apart from bugfixes. That's an
> important part of the trust you can have in a software. If we start to
> add features on bugfix releases, many people will stop doing minor
> updates on pgpool, afraid of bugs which might be included with new
> features. I know I'll do if this will happen, and I won't encourage my
> customers to upgrade their pgpool.
> 
> So, definite +1 to add this feature to pgpool, +1 to add it to 3.2, -1
> to add it as a bugfix in 3.1.1. It definitely is not a bugfix.
> 
> 
> --
> Guillaume
>   http://blog.guillaume.lelarge.info
>   http://www.dalibo.com
> 
> _______________________________________________
> Pgpool-general mailing list
> Pgpool-general at pgfoundry.org
> http://pgfoundry.org/mailman/listinfo/pgpool-general
> _______________________________________________
> Pgpool-general mailing list
> Pgpool-general at pgfoundry.org
> http://pgfoundry.org/mailman/listinfo/pgpool-general

More information about the Pgpool-general mailing list