[Pgpool-hackers] pgpool 3.2 released

Taiki Yamaguchi yamaguchi at sraoss.co.jp
Tue Feb 13 05:36:47 UTC 2007 


Tatsuo Ishii wrote:
>> Hi,
>>
>> On Sat, 2007-02-10 at 19:58 +0900, Tatsuo Ishii wrote:
>>
>>> I have released pgpool 3.2. Can you please take a look at?
>> Checked and tested it. I found an issue in hba. Here is my
>> pool_hba.conf:
>>
>> ================================================================
>> # "local" is for Unix domain socket connections only
>> local   all         all                               reject
>> # IPv4 local connections:
>> host    all         all         127.0.0.1/32          reject
>> ================================================================
>>
>> Now, here is the message when I psql to pgpool:
>>
>> $ psql -U postgres -p 9999 -h localhost
>> psql: ERROR:  no pool_hba.conf entry for host "127.0.0.1", user
>> "postgres", database "postgres"
>>
>> However, it is not the case. There is an entry. Here is the debug log:
>>
>> =======================================================================
>> 2007-02-12 08:44:03 ERROR: pid 25668: no pool_hba.conf entry for host
>> "127.0.0.1", user "postgres", database "postgres"
>> 2007-02-12 08:44:03 ERROR: pid 25668: authentication with pgpool failed
>> for user "postgres": host rejected
>> =======================================================================
>>
>> The second message should be returned to client, instead of the first
>> one.
>>
>> BTW, any plans to add md5 auth to pool_hba.conf?
> 
> Taiki, what do you think?

The error is the same behavior as in PostgreSQL.
Since it is not usual for an administrator to specify "reject" method in 
pg_hba.conf, PostgreSQL returns an error message saying "entry not 
found" although it was actually there. I guess it is the security issue 
that we don't want a rejected user to know that he was either 
black-listed, or he was just not listed at all. The returned message 
follows the PostgreSQL's as well. Of course, we do not have to apply 
everything in PostgreSQL to pgpool :)  Any better solutions to this matter?

I don't have a plan to add md5 auth to pgpool, because pgpool doesn't 
know anything about incoming users. Thus, pgpool can do PAM auth, but 
not md5 or any other methods that require user/password information.

-- yamaguti

> 
>> Also, are there any plans to add a  parameter like "log_destination" to
>> pgpool so that pgpool can log to specified file, instead of running
>> pgpool with " pgpool -n >& /tmp/pgpool.log & " .
> 
> Sounds nice idea. I will look forward to add this feature into pgpool.
> 
>> Other then these, this package looks ok.
>>
>> I built RPMs for Fedora Core 5,6 and Fedora 7 . They will be available
>> in Fedora Extras later in the day (they are built successfully). I'll
>> upload a RHEL RPM to pgfoundry page today. 
> 
> Thanks in advance!
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> _______________________________________________
> Pgpool-hackers mailing list
> Pgpool-hackers at pgfoundry.org
> http://pgfoundry.org/mailman/listinfo/pgpool-hackers
> 
> 
>

More information about the Pgpool-hackers mailing list