[HACKERS] Bug in pg_hba.conf or pg_basebackup concerning replication connections
All, If I have the following line in pg_hba.conf: hostreplication replication all md5 pg_basebackup -x -v -P -h master1 -U replication -D $PGDATA pg_basebackup: could not connect to server: FATAL: no pg_hba.conf entry for replication connection from host 216.121.61.233, user replication But, if I change it to all users, replication succeeds: hostreplication all all md5 ... even if the user postgres (the only other user in this test) is declared with noreplication. I can't figure out what's going wrong here; either HBA is broken and won't accept a replication line unless user is all, or pgbasebackup is doing something to test a connection as postgres, even though no such connection attempt shows up in the logs. -- Josh Berkus PostgreSQL Experts Inc. http://pgexperts.com San Francisco -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Bug in pg_hba.conf or pg_basebackup concerning replication connections
On 10 April 2011 04:23, Joshua Berkus j...@agliodbs.com wrote: If I have the following line in pg_hba.conf: host replication replication all md5 pg_basebackup -x -v -P -h master1 -U replication -D $PGDATA pg_basebackup: could not connect to server: FATAL: no pg_hba.conf entry for replication connection from host 216.121.61.233, user replication Welcome to the wonderful world of keywords in hba not being specific to fields. I encountered this problem myself back in Oct 2010 [1] and predicted that it would bite other users. You've been kind enough to validate that prediction. I submitted a WIP patch aimed at fixing it just over a week ago [2]. Until that patch (or some other solution) goes through, you'll need to quote replication in your hba.conf if you want to use it as a username. Cheers, BJ [1] http://archives.postgresql.org/message-id/AANLkTi=q8dzj79okrwc-ke9zg-rh-1tcqdqbsbkfo...@mail.gmail.com [2] http://archives.postgresql.org/message-id/aanlktin8p0son1yjexo3cgidlxev67oh4c7vtj7e0...@mail.gmail.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Bug in pg_hba.conf or pg_basebackup concerning replication connections
Welcome to the wonderful world of keywords in hba not being specific to fields. I encountered this problem myself back in Oct 2010 [1] and predicted that it would bite other users. You've been kind enough to validate that prediction. I submitted a WIP patch aimed at fixing it just over a week ago [2]. Well, I'd like to add this to the Open Issues. Given that I managed to hit this issue pretty much immediately on a blind test, I'm not going to be even close to the last user who experiences it. Has this always been an issue if you have users and databases in pg_hba.conf with the same name? -- Josh Berkus PostgreSQL Experts Inc. http://pgexperts.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Bug in pg_hba.conf or pg_basebackup concerning replication connections
On 04/09/2011 03:18 PM, Brendan Jurd wrote: On 10 April 2011 04:23, Joshua Berkusj...@agliodbs.com wrote: If I have the following line in pg_hba.conf: hostreplication replication all md5 pg_basebackup -x -v -P -h master1 -U replication -D $PGDATA pg_basebackup: could not connect to server: FATAL: no pg_hba.conf entry for replication connection from host 216.121.61.233, user replication Welcome to the wonderful world of keywords in hba not being specific to fields. I encountered this problem myself back in Oct 2010 [1] and predicted that it would bite other users. You've been kind enough to validate that prediction. I submitted a WIP patch aimed at fixing it just over a week ago [2]. Until that patch (or some other solution) goes through, you'll need to quote replication in your hba.conf if you want to use it as a username. Cheers, BJ [1] http://archives.postgresql.org/message-id/AANLkTi=q8dzj79okrwc-ke9zg-rh-1tcqdqbsbkfo...@mail.gmail.com [2] http://archives.postgresql.org/message-id/aanlktin8p0son1yjexo3cgidlxev67oh4c7vtj7e0...@mail.gmail.com That's a 2000 line patch that looks like it's out of the question now. But I think this should fix Josh's immediate problem if we want to do it: diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 2def6ce..4306071 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -492,6 +492,8 @@ check_role(const char *role, Oid roleid, char *param_str) return true; } else if (strcmp(tok, role) == 0 || +(strcmp(tok, replication\n) == 0 + strcmp(role,replication) ==0) || strcmp(tok, all\n) == 0) return true; } Incidentally, are walsenders supposed to be able to match any db name other than 'replication'? If not, I think we have a bug in check_db(), which is probably missing an else return false; in the amwalsender branch. cheers andrew -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Bug in pg_hba.conf or pg_basebackup concerning replication connections
On 04/09/2011 07:11 PM, Andrew Dunstan wrote: Incidentally, are walsenders supposed to be able to match any db name other than 'replication'? If not, I think we have a bug in check_db(), which is probably missing an else return false; in the amwalsender branch. Sorry, I misread the code. It will fall through. Sorry for the noise. cheers andrew -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Bug in pg_hba.conf or pg_basebackup concerning replication connections
That's a 2000 line patch that looks like it's out of the question now. But I think this should fix Josh's immediate problem if we want to do it: I have confirmed that Andrew's patch works. -- Josh Berkus PostgreSQL Experts Inc. http://pgexperts.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
