[pgpool-general: 4535] md5 authentication without pool_passwd

Gabriele Monfardini monfardini at ldpgis.it
Fri Mar 11 18:53:11 JST 2016 

Hi all,

this is an enhancement request.
AFAIK currently the only way to use md5 authentication with pgpool-II and
PostgreSQL is the following:

   - setup pool_hba file to enforce md5 authentication from client hosts
   - setup pool_passwd file with users and passwords to be used by the
   clients
   - setup pg_hba file to enforce md5 authentication from pgpool host(s)
   - create users in PostgreSQL with the same password as in pool_passwd
   file.

This works perfectly and is the way suggested in the manual.

The problem with this setup is that it is cumbersome and error prone to
keep pool_passwd aligned with postgresql users.
In order to add a new user we need to add it in postgresql, add it in
pool_passwd and reload pgpool to read again pool_passwd file.

It would be great to find a way to bypass pgpool authentication and
authenticate only in PostgreSQL.
If PostgreSQL authentication succeeds, client authentication succeeds,
otherwise it fails.
In this way there will be no double authentication against pgpool and
against postgresql.
Moreover users and passwords will be only in PostgreSQL, where their
management is easier.

I don't know if this is technically feasible but it could work like that:

   - setup pool_hba to enforce md5 authentication from client hosts
   - disable the use of pool_passwd
   - setup pg_hba to enforce md5 authentication from pgpool host
   - create users in PostgreSQL.

In this setup pgpool will simply try md5 authentication against PostgreSQL
with user and password provided by the client, and reports success or
failure to the client.

Obviously if there is a mismatch between the authentication enforced in
pool_hba and the one resulting from pg_hba an error will be returned.

I've opened a enhancement request
http://www.pgpool.net/mantisbt/view.php?id=170

What do you think about this proposal?

Best regards,

Gabriele Monfardini

-----
Gabriele Monfardini
LdP Progetti GIS
tel: 0577.531049
email: monfardini at ldpgis.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-general/attachments/20160311/ea2cb25e/attachment.html>

More information about the pgpool-general mailing list