[pgpool-general: 7464] Re: AWS Aurora / Postgres handling additional Database Users

Bo Peng pengbo at sraoss.co.jp
Mon Mar 29 16:47:03 JST 2021


Hi,

On Fri, 26 Mar 2021 14:22:51 +0900
Bo Peng <pengbo at sraoss.co.jp> wrote:

> Hi,
> 
> On Thu, 25 Mar 2021 16:03:54 -0500
> Eric Brawner <eric.brawner at exprealty.net> wrote:
> 
> > Hi all,
> > 
> > I think I know the answer already (No).  But want to make absolutely sure.
> > It seems for Aurora we needed to use MD5 to hash the password for our
> > Database User (User1).  However, we have several other database users we'd
> > also like to have connect via PGPool.
> > 
> > Is there a configuration/way we can have these additional users pass-though
> > authenticate to the Aurora Postgres instance?  I think its no.
> > 
> > If that is the case our only option is to also MD5 hash the additional
> > user's passwords into PGPool such that we'd need to maintain
> > their passwords in both Aurora & PGPool?
> 
> I think in this case if enable_pool_hba = off, 
> you can use "allow_clear_text_frontend_auth".
> 
> https://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#GUC-ALLOW-CLEAR-TEXT-FRONTEND-AUTH
>  
> If PostgreSQL backend servers require md5 or SCRAM authentication for some user's authentication,
> but the password for that user is not present in the "pool_passwd" file, 
> then enabling allow_clear_text_frontend_auth will allow the Pgpool-II to
> use clear-text-password authentication with frontend clients to get the 
> password in plain text form from the client and use it for backend authentication. 

In addition, if "enable_pool_hba = on", you can specify "password" authentication in pool_hba.conf:
 
  host      all   someusers     all    password


>From a security perspective, you can also force SSL connection between frontend and Pgpool-II by setting:

  hostssl      all   someusers     all    password


> > Thanks in advance
> > 
> > Eric
> > 
> > -- 
> > *Eric Brawner*
> > Data Engineer / Business Intelligence
> > *eXp Realty*
> > Livingston, Tx (Central Time)
> 
> 
> -- 
> Bo Peng <pengbo at sraoss.co.jp>
> SRA OSS, Inc. Japan
> _______________________________________________
> pgpool-general mailing list
> pgpool-general at pgpool.net
> http://www.pgpool.net/mailman/listinfo/pgpool-general


-- 
Bo Peng <pengbo at sraoss.co.jp>
SRA OSS, Inc. Japan


More information about the pgpool-general mailing list