[Pgpool-hackers] pgpool 3.2 released
Taiki Yamaguchi
yamaguchi at sraoss.co.jp
Tue Feb 13 05:36:47 UTC 2007
Tatsuo Ishii wrote:
>> Hi,
>>
>> On Sat, 2007-02-10 at 19:58 +0900, Tatsuo Ishii wrote:
>>
>>> I have released pgpool 3.2. Can you please take a look at?
>> Checked and tested it. I found an issue in hba. Here is my
>> pool_hba.conf:
>>
>> ================================================================
>> # "local" is for Unix domain socket connections only
>> local all all reject
>> # IPv4 local connections:
>> host all all 127.0.0.1/32 reject
>> ================================================================
>>
>> Now, here is the message when I psql to pgpool:
>>
>> $ psql -U postgres -p 9999 -h localhost
>> psql: ERROR: no pool_hba.conf entry for host "127.0.0.1", user
>> "postgres", database "postgres"
>>
>> However, it is not the case. There is an entry. Here is the debug log:
>>
>> =======================================================================
>> 2007-02-12 08:44:03 ERROR: pid 25668: no pool_hba.conf entry for host
>> "127.0.0.1", user "postgres", database "postgres"
>> 2007-02-12 08:44:03 ERROR: pid 25668: authentication with pgpool failed
>> for user "postgres": host rejected
>> =======================================================================
>>
>> The second message should be returned to client, instead of the first
>> one.
>>
>> BTW, any plans to add md5 auth to pool_hba.conf?
>
> Taiki, what do you think?
The error is the same behavior as in PostgreSQL.
Since it is not usual for an administrator to specify "reject" method in
pg_hba.conf, PostgreSQL returns an error message saying "entry not
found" although it was actually there. I guess it is the security issue
that we don't want a rejected user to know that he was either
black-listed, or he was just not listed at all. The returned message
follows the PostgreSQL's as well. Of course, we do not have to apply
everything in PostgreSQL to pgpool :) Any better solutions to this matter?
I don't have a plan to add md5 auth to pgpool, because pgpool doesn't
know anything about incoming users. Thus, pgpool can do PAM auth, but
not md5 or any other methods that require user/password information.
-- yamaguti
>
>> Also, are there any plans to add a parameter like "log_destination" to
>> pgpool so that pgpool can log to specified file, instead of running
>> pgpool with " pgpool -n >& /tmp/pgpool.log & " .
>
> Sounds nice idea. I will look forward to add this feature into pgpool.
>
>> Other then these, this package looks ok.
>>
>> I built RPMs for Fedora Core 5,6 and Fedora 7 . They will be available
>> in Fedora Extras later in the day (they are built successfully). I'll
>> upload a RHEL RPM to pgfoundry page today.
>
> Thanks in advance!
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> _______________________________________________
> Pgpool-hackers mailing list
> Pgpool-hackers at pgfoundry.org
> http://pgfoundry.org/mailman/listinfo/pgpool-hackers
>
>
>
More information about the Pgpool-hackers
mailing list