[pgpool-general: 6] Re: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password

Tatsuo Ishii ishii at postgresql.org
Sun Nov 27 10:19:55 JST 2011 

> I have checked pgpool-II 3.1 code and found that my explanation was wrong.
> 
> 1) sr_check_user and sr_check_password are working fine with 3.1 even
>    with md5 auth.
> 
> 2) health_check_password is ignored in 3.1. So you can not use other
>    trust with health_check_user.
> 
> For #2, it seems a fix to recognize health_check_password will break
> backward compatibility. Because 3.1 code uses V2 protocol (used by 7.3
> or before). To enable md5 auth, I need to replace it by using
> make_persistent_db_connection(), which handles V3 protocol only. So it
> seems there's no hope to recognize health_check_password in 3.1.x.
> 
> 3.2 will allow to use md5 auth with health_check_password for price
> of discontinuing support for V2 protocol.
> 
> BTW, problem with SSL is totally different story. It seems someone
> forgot to allow to use SSL with health checking and
> make_persistent_db_connection()...

I was wrong. You can use SSL with #1 (and #2 with 3.2).
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese: http://www.sraoss.co.jp

>> I configured pg_hba.conf like this:
>> 
>> #For recovery_user and health_check_user of pgpool
>> hostssl		postgres	pgpool		10.13.4.201/32				md5 
>> hostssl		template1	pgpool		10.13.4.201/32				md5
>> 
>> #For sr_check_user of pgpool
>> hostssl		postgres	sr_pgpool		10.13.4.201/32				trust
>> hostssl		template1	sr_pgpool		10.13.4.201/32				trust
>> 
>> The postgresql log file shows this error: 
>> 
>> LOG:  connection received: host=10.13.4.201 port=50640
>> LOG:  could not receive data from client: Connection reset by peer
>> 
>> The pgpoolAdmin tool doesn't  shows the information about master and standby nodes.
>> 
>> Please, I need configure the access from pgpool to postgreSQL through md5 authentication method, or other authentication method different of trust.
>> 
>> Is this possible with Pgpool-II??, because I tested it, in different ways and always these errors are shown.
>> 
>> pgpool.conf is configure like this:
>> 
>> *************************************************************
>> ssl = on
>> ssl_key = '/opt/pgpool/ssl/server.key'
>> ssl_cert = '/opt/pgpool/ssl/server.cert'
>> 
>> sr_check_user = 'sr_pgpool'
>> sr_check_password = ''
>> 
>> health_check_user = 'pgpool'
>> health_check_password = 'pgpool'
>> 
>> recovery_user = 'pgpool'
>> recovery_password = 'pgpool'
>> 
>> ************************************************************
>> 
>> Regards and thank you very much for your time.
>> 
>> -----Mensaje original-----
>> De: Lazaro Rubén García Martinez 
>> Enviado el: lunes, 21 de noviembre de 2011 10:59
>> Para: Lazaro Rubén García Martinez; Guillaume Lelarge
>> CC: pgpool-general at pgfoundry.org
>> Asunto: RE: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password
>> 
>> Continuing with this thread, I have some doubt about using SSL connections with pgpool and postgreSQL, my pg_hba.conf have this configuration at this moment:
>> 
>> hostssl		postgres	pgpool		10.13.4.201/32				trust
>> hostssl		template1	pgpool		10.13.4.201/32				trust
>> hostssl		postgres	sr_pgpool		10.13.4.201/32				trust
>> hostssl		template1	sr_pgpool		10.13.4.201/32				trust
>> 
>> But in the postgreSQL log file, this error is shows:
>> 
>> LOG:  connection received: host=10.13.4.201 port=50423
>> LOG:  connection received: host=10.13.4.201 port=50424
>> LOG:  connection authorized: user=sr_pgpool database=postgres
>> LOG:  connection authorized: user=sr_pgpool database=postgres
>> LOG:  statement: SELECT pg_is_in_recovery()
>> LOG:  statement: SELECT pg_current_xlog_location()
>> LOG:  disconnection: session time: 0:00:00.092 user=sr_pgpool database=postgres host=10.13.4.201 port=50424
>> LOG:  disconnection: session time: 0:00:00.096 user=sr_pgpool database=postgres host=10.13.4.201 port=50423
>> LOG:  connection received: host=10.13.4.201 port=50426
>> FATAL:  no pg_hba.conf entry for host "10.13.4.201", user "pgpool", database "postgres", SSL off
>> LOG:  connection received: host=10.13.4.201 port=50428
>> LOG:  connection authorized: user=sr_pgpool database=postgres
>> LOG:  statement: SELECT pg_is_in_recovery()
>> LOG:  disconnection: session time: 0:00:00.048 user=sr_pgpool database=postgres host=10.13.4.201 port=50428
>> LOG:  connection received: host=10.13.4.201 port=50432
>> LOG:  connection authorized: user=pgpool database=template1
>> LOG:  statement: SELECT pg_is_in_recovery()
>> LOG:  disconnection: session time: 0:00:00.053 user=pgpool database=template1 host=10.13.4.201 port=50432
>> 
>> Why pgpool can connect to the database template1, and not to postgres database?
>> 
>> In what case pgpool connects to database postgres and in what case connects to template1 database?
>> 
>> Regards.
>> 
>> -----Mensaje original-----
>> De: pgpool-general-bounces at pgfoundry.org [mailto:pgpool-general-bounces at pgfoundry.org] En nombre de Lazaro Rubén García Martinez
>> Enviado el: domingo, 20 de noviembre de 2011 06:43
>> Para: Guillaume Lelarge
>> CC: pgpool-general at pgfoundry.org
>> Asunto: Re: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password
>> 
>> I am agree with you, but if it is not a bug, what is the purpose for having sr_sheck_password property in pgpool.conf file?.
>> 
>> I think this property can confuse pgpool's users, for this reason I propose -1.
>> 
>> If you understand that this feature should be present in Pgpool 3.2, I will agree with you too.
>> 
>> Regards.
>> ________________________________________
>> De: Guillaume Lelarge [guillaume at lelarge.info]
>> Enviado el: domingo, 20 de noviembre de 2011 17:58
>> Para: Lazaro Rubén García Martinez
>> CC: Tatsuo Ishii; pgpool-general at pgfoundry.org
>> Asunto: RE: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password
>> 
>> On Sun, 2011-11-20 at 17:24 -0430, Lazaro Rubén García Martinez wrote:
>>> I think this feature is very important, because having  trust acces in pg_hba.conf is not a good idea.
>> 
>> I understand that and I agree with you. The problem is not on the
>> feature itself, but on which release it should be delivered. If the
>> feature is really urgent to get out there, then we should release 3.2
>> quickly. We shouldn't put it in 3.1.whatever because 3.1.whatever could
>> get out before 3.2.
>> 
>> Minor releases shouldn't change behaviour apart from bugfixes. That's an
>> important part of the trust you can have in a software. If we start to
>> add features on bugfix releases, many people will stop doing minor
>> updates on pgpool, afraid of bugs which might be included with new
>> features. I know I'll do if this will happen, and I won't encourage my
>> customers to upgrade their pgpool.
>> 
>> So, definite +1 to add this feature to pgpool, +1 to add it to 3.2, -1
>> to add it as a bugfix in 3.1.1. It definitely is not a bugfix.
>> 
>> 
>> --
>> Guillaume
>>   http://blog.guillaume.lelarge.info
>>   http://www.dalibo.com

More information about the pgpool-general mailing list