[pgpool-hackers: 4075] Re: Proposal: add validations of wd_lifecheck_password and recovery_password format.

Tatsuo Ishii ishii at sraoss.co.jp
Sun Dec 12 20:40:29 JST 2021


> Hi,
> 
> wd_lifecheck_password and recovery_password are not allowed to be md5 hashed format
> but pgppol dont check their password format.
> 
> I think this proposal will help users to know why pcp_recovery_node fails and authentication
> failure appears in pgpool log.
> 
> What do you think?

Unfortunately the proposal made many regression failures. The reason
for this is that pcp_recovery_node failed because pgpool_setup creates
following:

pgpool.conf:
recovery_user = 't-ishii'
recovery_password = ''

pool_passwd:
t-ishii:md5a16f9d87e344969ec59de417447348b3

pcp_recovery_node finds recovery_password = '' and then looks into
pool_passwd then finds the password format is md5. So it complains and
raises an error. However, pg_hba.conf is set that auth method for
"t-ishii" is "trust", so pcp_recovery_node should happily connect to
PostgreSQL. But now the new check prevents pcp_recovery_node from
trying to connect to PostgreSQL.

I think the check should be performed after:

	conn = connect_backend_libpq(backend);

this fails.

Probably same thing can be saild to wd_lifecheck_password.

Best reagards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp


More information about the pgpool-hackers mailing list