[pgpool-general: 7] Re: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password

Lazaro Rubén García Martinez lgarciam at vnz.uci.cu
Mon Nov 28 05:55:34 JST 2011 

Thank you for the appointment.

Regards.
________________________________________
De: Tatsuo Ishii [ishii at postgresql.org]
Enviado el: sábado, 26 de noviembre de 2011 20:49
Para: pgpool-general at pgpool.net
CC: Lazaro Rubén García Martinez
Asunto: Re: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password

> I have checked pgpool-II 3.1 code and found that my explanation was wrong.
>
> 1) sr_check_user and sr_check_password are working fine with 3.1 even
>    with md5 auth.
>
> 2) health_check_password is ignored in 3.1. So you can not use other
>    trust with health_check_user.
>
> For #2, it seems a fix to recognize health_check_password will break
> backward compatibility. Because 3.1 code uses V2 protocol (used by 7.3
> or before). To enable md5 auth, I need to replace it by using
> make_persistent_db_connection(), which handles V3 protocol only. So it
> seems there's no hope to recognize health_check_password in 3.1.x.
>
> 3.2 will allow to use md5 auth with health_check_password for price
> of discontinuing support for V2 protocol.
>
> BTW, problem with SSL is totally different story. It seems someone
> forgot to allow to use SSL with health checking and
> make_persistent_db_connection()...

I was wrong. You can use SSL with #1 (and #2 with 3.2).
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese: http://www.sraoss.co.jp

>> I configured pg_hba.conf like this:
>>
>> #For recovery_user and health_check_user of pgpool
>> hostssl              postgres        pgpool          10.13.4.201/32                          md5
>> hostssl              template1       pgpool          10.13.4.201/32                          md5
>>
>> #For sr_check_user of pgpool
>> hostssl              postgres        sr_pgpool               10.13.4.201/32                          trust
>> hostssl              template1       sr_pgpool               10.13.4.201/32                          trust
>>
>> The postgresql log file shows this error:
>>
>> LOG:  connection received: host=10.13.4.201 port=50640
>> LOG:  could not receive data from client: Connection reset by peer
>>
>> The pgpoolAdmin tool doesn't  shows the information about master and standby nodes.
>>
>> Please, I need configure the access from pgpool to postgreSQL through md5 authentication method, or other authentication method different of trust.
>>
>> Is this possible with Pgpool-II??, because I tested it, in different ways and always these errors are shown.
>>
>> pgpool.conf is configure like this:
>>
>> *************************************************************
>> ssl = on
>> ssl_key = '/opt/pgpool/ssl/server.key'
>> ssl_cert = '/opt/pgpool/ssl/server.cert'
>>
>> sr_check_user = 'sr_pgpool'
>> sr_check_password = ''
>>
>> health_check_user = 'pgpool'
>> health_check_password = 'pgpool'
>>
>> recovery_user = 'pgpool'
>> recovery_password = 'pgpool'
>>
>> ************************************************************
>>
>> Regards and thank you very much for your time.
>>
>> -----Mensaje original-----
>> De: Lazaro Rubén García Martinez
>> Enviado el: lunes, 21 de noviembre de 2011 10:59
>> Para: Lazaro Rubén García Martinez; Guillaume Lelarge
>> CC: pgpool-general at pgfoundry.org
>> Asunto: RE: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password
>>
>> Continuing with this thread, I have some doubt about using SSL connections with pgpool and postgreSQL, my pg_hba.conf have this configuration at this moment:
>>
>> hostssl              postgres        pgpool          10.13.4.201/32                          trust
>> hostssl              template1       pgpool          10.13.4.201/32                          trust
>> hostssl              postgres        sr_pgpool               10.13.4.201/32                          trust
>> hostssl              template1       sr_pgpool               10.13.4.201/32                          trust
>>
>> But in the postgreSQL log file, this error is shows:
>>
>> LOG:  connection received: host=10.13.4.201 port=50423
>> LOG:  connection received: host=10.13.4.201 port=50424
>> LOG:  connection authorized: user=sr_pgpool database=postgres
>> LOG:  connection authorized: user=sr_pgpool database=postgres
>> LOG:  statement: SELECT pg_is_in_recovery()
>> LOG:  statement: SELECT pg_current_xlog_location()
>> LOG:  disconnection: session time: 0:00:00.092 user=sr_pgpool database=postgres host=10.13.4.201 port=50424
>> LOG:  disconnection: session time: 0:00:00.096 user=sr_pgpool database=postgres host=10.13.4.201 port=50423
>> LOG:  connection received: host=10.13.4.201 port=50426
>> FATAL:  no pg_hba.conf entry for host "10.13.4.201", user "pgpool", database "postgres", SSL off
>> LOG:  connection received: host=10.13.4.201 port=50428
>> LOG:  connection authorized: user=sr_pgpool database=postgres
>> LOG:  statement: SELECT pg_is_in_recovery()
>> LOG:  disconnection: session time: 0:00:00.048 user=sr_pgpool database=postgres host=10.13.4.201 port=50428
>> LOG:  connection received: host=10.13.4.201 port=50432
>> LOG:  connection authorized: user=pgpool database=template1
>> LOG:  statement: SELECT pg_is_in_recovery()
>> LOG:  disconnection: session time: 0:00:00.053 user=pgpool database=template1 host=10.13.4.201 port=50432
>>
>> Why pgpool can connect to the database template1, and not to postgres database?
>>
>> In what case pgpool connects to database postgres and in what case connects to template1 database?
>>
>> Regards.
>>
>> -----Mensaje original-----
>> De: pgpool-general-bounces at pgfoundry.org [mailto:pgpool-general-bounces at pgfoundry.org] En nombre de Lazaro Rubén García Martinez
>> Enviado el: domingo, 20 de noviembre de 2011 06:43
>> Para: Guillaume Lelarge
>> CC: pgpool-general at pgfoundry.org
>> Asunto: Re: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password
>>
>> I am agree with you, but if it is not a bug, what is the purpose for having sr_sheck_password property in pgpool.conf file?.
>>
>> I think this property can confuse pgpool's users, for this reason I propose -1.
>>
>> If you understand that this feature should be present in Pgpool 3.2, I will agree with you too.
>>
>> Regards.
>> ________________________________________
>> De: Guillaume Lelarge [guillaume at lelarge.info]
>> Enviado el: domingo, 20 de noviembre de 2011 17:58
>> Para: Lazaro Rubén García Martinez
>> CC: Tatsuo Ishii; pgpool-general at pgfoundry.org
>> Asunto: RE: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password
>>
>> On Sun, 2011-11-20 at 17:24 -0430, Lazaro Rubén García Martinez wrote:
>>> I think this feature is very important, because having  trust acces in pg_hba.conf is not a good idea.
>>
>> I understand that and I agree with you. The problem is not on the
>> feature itself, but on which release it should be delivered. If the
>> feature is really urgent to get out there, then we should release 3.2
>> quickly. We shouldn't put it in 3.1.whatever because 3.1.whatever could
>> get out before 3.2.
>>
>> Minor releases shouldn't change behaviour apart from bugfixes. That's an
>> important part of the trust you can have in a software. If we start to
>> add features on bugfix releases, many people will stop doing minor
>> updates on pgpool, afraid of bugs which might be included with new
>> features. I know I'll do if this will happen, and I won't encourage my
>> customers to upgrade their pgpool.
>>
>> So, definite +1 to add this feature to pgpool, +1 to add it to 3.2, -1
>> to add it as a bugfix in 3.1.1. It definitely is not a bugfix.
>>
>>
>> --
>> Guillaume
>>   http://blog.guillaume.lelarge.info
>>   http://www.dalibo.com

More information about the pgpool-general mailing list