Tatsuo, thank you very much for the answer. I only have one question: Is there any estimated date for release PGPool-II 3.2?
Regards. -----Mensaje original----- De: Tatsuo Ishii [mailto:is...@sraoss.co.jp] Enviado el: lunes, 21 de noviembre de 2011 09:24 Para: Lazaro Rubén García Martinez CC: guilla...@lelarge.info; pgpool-general@pgfoundry.org Asunto: Re: [Pgpool-general] Authentication method used for sr_check_password, health_check_password and recovery_password I have checked pgpool-II 3.1 code and found that my explanation was wrong. 1) sr_check_user and sr_check_password are working fine with 3.1 even with md5 auth. 2) health_check_password is ignored in 3.1. So you can not use other trust with health_check_user. For #2, it seems a fix to recognize health_check_password will break backward compatibility. Because 3.1 code uses V2 protocol (used by 7.3 or before). To enable md5 auth, I need to replace it by using make_persistent_db_connection(), which handles V3 protocol only. So it seems there's no hope to recognize health_check_password in 3.1.x. 3.2 will allow to use md5 auth with health_check_password for price of discontinuing support for V2 protocol. BTW, problem with SSL is totally different story. It seems someone forgot to allow to use SSL with health checking and make_persistent_db_connection()... -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese: http://www.sraoss.co.jp > I configured pg_hba.conf like this: > > #For recovery_user and health_check_user of pgpool > hostssl postgres pgpool 10.13.4.201/32 > md5 > hostssl template1 pgpool 10.13.4.201/32 > md5 > > #For sr_check_user of pgpool > hostssl postgres sr_pgpool 10.13.4.201/32 > trust > hostssl template1 sr_pgpool 10.13.4.201/32 > trust > > The postgresql log file shows this error: > > LOG: connection received: host=10.13.4.201 port=50640 > LOG: could not receive data from client: Connection reset by peer > > The pgpoolAdmin tool doesn't shows the information about master and standby > nodes. > > Please, I need configure the access from pgpool to postgreSQL through md5 > authentication method, or other authentication method different of trust. > > Is this possible with Pgpool-II??, because I tested it, in different ways and > always these errors are shown. > > pgpool.conf is configure like this: > > ************************************************************* > ssl = on > ssl_key = '/opt/pgpool/ssl/server.key' > ssl_cert = '/opt/pgpool/ssl/server.cert' > > sr_check_user = 'sr_pgpool' > sr_check_password = '' > > health_check_user = 'pgpool' > health_check_password = 'pgpool' > > recovery_user = 'pgpool' > recovery_password = 'pgpool' > > ************************************************************ > > Regards and thank you very much for your time. > > -----Mensaje original----- > De: Lazaro Rubén García Martinez > Enviado el: lunes, 21 de noviembre de 2011 10:59 > Para: Lazaro Rubén García Martinez; Guillaume Lelarge > CC: pgpool-general@pgfoundry.org > Asunto: RE: [Pgpool-general] Authentication method used for > sr_check_password, health_check_password and recovery_password > > Continuing with this thread, I have some doubt about using SSL connections > with pgpool and postgreSQL, my pg_hba.conf have this configuration at this > moment: > > hostssl postgres pgpool 10.13.4.201/32 > trust > hostssl template1 pgpool 10.13.4.201/32 > trust > hostssl postgres sr_pgpool 10.13.4.201/32 > trust > hostssl template1 sr_pgpool 10.13.4.201/32 > trust > > But in the postgreSQL log file, this error is shows: > > LOG: connection received: host=10.13.4.201 port=50423 > LOG: connection received: host=10.13.4.201 port=50424 > LOG: connection authorized: user=sr_pgpool database=postgres > LOG: connection authorized: user=sr_pgpool database=postgres > LOG: statement: SELECT pg_is_in_recovery() > LOG: statement: SELECT pg_current_xlog_location() > LOG: disconnection: session time: 0:00:00.092 user=sr_pgpool > database=postgres host=10.13.4.201 port=50424 > LOG: disconnection: session time: 0:00:00.096 user=sr_pgpool > database=postgres host=10.13.4.201 port=50423 > LOG: connection received: host=10.13.4.201 port=50426 > FATAL: no pg_hba.conf entry for host "10.13.4.201", user "pgpool", database > "postgres", SSL off > LOG: connection received: host=10.13.4.201 port=50428 > LOG: connection authorized: user=sr_pgpool database=postgres > LOG: statement: SELECT pg_is_in_recovery() > LOG: disconnection: session time: 0:00:00.048 user=sr_pgpool > database=postgres host=10.13.4.201 port=50428 > LOG: connection received: host=10.13.4.201 port=50432 > LOG: connection authorized: user=pgpool database=template1 > LOG: statement: SELECT pg_is_in_recovery() > LOG: disconnection: session time: 0:00:00.053 user=pgpool database=template1 > host=10.13.4.201 port=50432 > > Why pgpool can connect to the database template1, and not to postgres > database? > > In what case pgpool connects to database postgres and in what case connects > to template1 database? > > Regards. > > -----Mensaje original----- > De: pgpool-general-boun...@pgfoundry.org > [mailto:pgpool-general-boun...@pgfoundry.org] En nombre de Lazaro Rubén > García Martinez > Enviado el: domingo, 20 de noviembre de 2011 06:43 > Para: Guillaume Lelarge > CC: pgpool-general@pgfoundry.org > Asunto: Re: [Pgpool-general] Authentication method used for > sr_check_password, health_check_password and recovery_password > > I am agree with you, but if it is not a bug, what is the purpose for having > sr_sheck_password property in pgpool.conf file?. > > I think this property can confuse pgpool's users, for this reason I propose > -1. > > If you understand that this feature should be present in Pgpool 3.2, I will > agree with you too. > > Regards. > ________________________________________ > De: Guillaume Lelarge [guilla...@lelarge.info] > Enviado el: domingo, 20 de noviembre de 2011 17:58 > Para: Lazaro Rubén García Martinez > CC: Tatsuo Ishii; pgpool-general@pgfoundry.org > Asunto: RE: [Pgpool-general] Authentication method used for > sr_check_password, health_check_password and recovery_password > > On Sun, 2011-11-20 at 17:24 -0430, Lazaro Rubén García Martinez wrote: >> I think this feature is very important, because having trust acces in >> pg_hba.conf is not a good idea. > > I understand that and I agree with you. The problem is not on the > feature itself, but on which release it should be delivered. If the > feature is really urgent to get out there, then we should release 3.2 > quickly. We shouldn't put it in 3.1.whatever because 3.1.whatever could > get out before 3.2. > > Minor releases shouldn't change behaviour apart from bugfixes. That's an > important part of the trust you can have in a software. If we start to > add features on bugfix releases, many people will stop doing minor > updates on pgpool, afraid of bugs which might be included with new > features. I know I'll do if this will happen, and I won't encourage my > customers to upgrade their pgpool. > > So, definite +1 to add this feature to pgpool, +1 to add it to 3.2, -1 > to add it as a bugfix in 3.1.1. It definitely is not a bugfix. > > > -- > Guillaume > http://blog.guillaume.lelarge.info > http://www.dalibo.com > > _______________________________________________ > Pgpool-general mailing list > Pgpool-general@pgfoundry.org > http://pgfoundry.org/mailman/listinfo/pgpool-general > _______________________________________________ > Pgpool-general mailing list > Pgpool-general@pgfoundry.org > http://pgfoundry.org/mailman/listinfo/pgpool-general _______________________________________________ Pgpool-general mailing list Pgpool-general@pgfoundry.org http://pgfoundry.org/mailman/listinfo/pgpool-general
