function set_postgresql_conf
{
PGCONF=$1/postgresql.conf
+ PGHBACONF=$1/pg_hba.conf
echo "listen_addresses = '*'" >> $PGCONF
echo "port = $PORT" >> $PGCONF
fi
fi
- ed $1/pg_hba.conf <<EOF
+ sed -i '/host.*all.*all.*trust$/s/^/#/g' $PGHBACONF
+ sed -i '/local.*all.*all.*trust$/s/^/#/g' $PGHBACONF
+
+ echo "host all scram_user 0/0 scram-sha-256" >> $PGHBACONF
+ echo "host all md5_user 0/0 md5" >> $PGHBACONF
+ echo "host all all 0/0 trust" >> $PGHBACONF
+
+ echo "local all scram_user scram-sha-256" >> $PGHBACONF
+ echo "local all md5_user md5" >> $PGHBACONF
+ echo "local all all trust" >> $PGHBACONF
+
+ ed $1/pg_hba.conf <<EOF
/^#local *replication/s/^#//p
/^#host *replication/s/^#//p
/^#host *replication/s/^#//p
w
q
EOF
-
}
#-------------------------------------------
--- /dev/null
+#!/usr/bin/env bash
+#-------------------------------------------------------------------
+# test script for scram and md5 authentication test
+# when allow_clear_text_frontend_auth is set
+#
+source $TESTLIBS
+TESTDIR=testdir
+PSQL=$PGBIN/psql
+CREATEUSER=$PGBIN/createuser
+
+
+rm -fr $TESTDIR
+mkdir $TESTDIR
+cd $TESTDIR
+
+# create test environment
+echo -n "creating test environment..."
+$PGPOOL_SETUP -m s -n 2 || exit 1
+echo "done."
+
+source ./bashrc.ports
+
+#echo "enable_pool_hba = on" >> etc/pgpool.conf
+echo "allow_clear_text_frontend_auth = on" >> etc/pgpool.conf
+#set max_init_children to 1 to make sure we reuse the
+#connection to test wrong password rejection
+echo "num_init_children = 1" >> etc/pgpool.conf
+
+./startall
+
+export PGPORT=$PGPOOL_PORT
+wait_for_pgpool_startup
+
+#set passwords
+$PSQL -c "SET password_encryption = 'scram-sha-256'; CREATE ROLE scram_user PASSWORD 'scram_password'; ALTER ROLE scram_user WITH LOGIN;" test
+$PSQL -c "SET password_encryption = 'md5'; CREATE ROLE md5_user PASSWORD 'md5_password'; ALTER ROLE md5_user WITH LOGIN" test
+$PSQL -c "CREATE ROLE trust_user PASSWORD 'trust_password';ALTER ROLE trust_user WITH LOGIN" test
+
+
+if $PSQL -c "SELECT rolname,substring(rolpassword, 1, 14) FROM pg_authid where rolname ='scram_user'" test|grep "SCRAM-SHA-256" >/dev/null 2>&1
+then
+ echo "scram_user authenticated setup successfuly"
+else
+ echo "scram authentication setup failed"
+ failed=1
+fi
+if $PSQL -c "SELECT rolname,substring(rolpassword, 1, 4) FROM pg_authid where rolname ='md5_user'" test|grep "md5" >/dev/null 2>&1
+then
+ echo "md5 authenticated setup successfuly"
+else
+ echo "md5 authentication setup failed"
+ failed=1
+fi
+#create pgpass file
+echo "127.0.0.1:$PGPORT:test:scram_user:scram_password" >> pgpass
+echo "127.0.0.1:$PGPORT:test:md5_user:md5_password" >> pgpass
+chmod 0600 pgpass
+echo "127.0.0.1:$PGPORT:test:scram_user:scram_wrong_password" >> pgpasswrong
+echo "127.0.0.1:$PGPORT:test:md5_user:md5_wrong_password" >> pgpasswrong
+chmod 0600 pgpasswrong
+
+export PGPASSFILE=$PWD/pgpass
+
+if $PSQL -h 127.0.0.1 -U scram_user -c "SELECT user, inet_client_addr();" test|grep "scram_user" >/dev/null 2>&1
+then
+ echo "scram_user authenticated successfuly"
+else
+ echo "scram authentication failed"
+ failed=1
+fi
+
+if $PSQL -h 127.0.0.1 -U md5_user -c "SELECT user, inet_client_addr();" test|grep "md5_user" >/dev/null 2>&1
+then
+ echo "md5_user authenticated successfuly"
+else
+ echo "md5 authentication failed"
+ failed=1
+fi
+#now try using the wrong passwords1:
+export PGPASSFILE=$PWD/pgpasswrong
+echo "Trying wrong passwords now"
+#try connect using scram_user and md5 user
+if $PSQL -h 127.0.0.1 -U scram_user -c "SELECT user, inet_client_addr();" test|grep "scram_user" >/dev/null 2>&1
+then
+ failed=1
+ echo "serious problem with scram authentication, password not verified by pgpool"
+else
+ echo "wrong password rejected properly for scram auth"
+fi
+
+if $PSQL -h 127.0.0.1 -U md5_user -c "SELECT user, inet_client_addr();" test|grep "md5_user" >/dev/null 2>&1
+then
+ failed=1
+ echo "serious problem with md5 authentication, password not verified by pgpool"
+else
+ echo "wrong password rejected properly for md5 auth"
+fi
+
+./shutdownall
+if [ -z "$failed" ]; then
+ exit 0
+fi
+
+exit 1
--- /dev/null
+# pgpool Client Authentication Configuration File
+# ===============================================
+#
+# The format rule in this file follows the rules in the PostgreSQL
+# Administrator's Guide. Refer to chapter "Client Authentication" for a
+# complete description. A short synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which user names they can use, which databases they
+# can access. Records take one of these forms:
+#
+# local DATABASE USER METHOD [OPTION]
+# host DATABASE USER CIDR-ADDRESS METHOD [OPTION]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain
+# socket, "host" is either a plain or SSL-encrypted TCP/IP socket.
+#
+# DATABASE can be "all", "sameuser", a database name, or a comma-separated
+# list thereof. Note that "samegroup" like in PostgreSQL's pg_hba.conf
+# file is not supported, since pgpool does not know which group a user
+# belongs to. Also note that the database specified here may not exist in
+# the backend PostgreSQL. pgpool will authenticate based on the database's
+# name, not based on whether it exists or not.
+#
+# USER can be "all", a user name, or a comma-separated list thereof. In
+# both the DATABASE and USER fields you can also write a file name prefixed
+# with "@" to include names from a separate file. Note that a group name
+# prefixed with "+" like in PostgreSQL's pg_hba.conf file is not supported
+# because of the same reason as "samegroup" token. Also note that a user
+# name specified here may not exist in the backend PostgreSQL. pgpool will
+# authenticate based on the user's name, not based on whether he/she exists.
+#
+# CIDR-ADDRESS specifies the set of hosts the record matches.
+# It is made up of an IP address and a CIDR mask that is an integer
+# (between 0 and 32 (IPv4) that specifies the number of significant bits in
+# the mask. Alternatively, you can write an IP address and netmask in
+# separate columns to specify the set of hosts.
+#
+# METHOD can be "trust", "reject", "md5" , "scram-sha-256" or "pam".
+# Note that "pam" sends passwords in clear text.
+#
+# OPTION is the name of the PAM service. Default service name is "pgpool"
+#
+# Database and user names containing spaces, commas, quotes and other special
+# characters must be quoted. Quoting one of the keywords "all" or "sameuser"
+# makes the name lose its special character, and just match a database or
+# username with that name.
+#
+# This file is read on pgpool startup. If you edit the file on a running
+# system, you have to restart the pgpool for the changes to take effect.
+
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records. In that case you will also need to make pgpool listen
+# on a non-local interface via the listen_addresses configuration parameter.
+#
+
+# TYPE DATABASE USER CIDR-ADDRESS METHOD
+
+# "local" is for Unix domain socket connections only
+local all all trust
+# IPv4 local connections:
+host all scram_user 127.0.0.1/32 scram-sha-256
+host all scram_user ::1/128 scram-sha-256
+
+host all md5_user 127.0.0.1/32 md5
+host all md5_user ::1/128 md5
--- /dev/null
+#!/usr/bin/env bash
+#-------------------------------------------------------------------
+# test script for scram and md5 authentication
+# where password is stored in pool_passwd file
+#
+source $TESTLIBS
+TESTDIR=testdir
+PSQL=$PGBIN/psql
+CREATEUSER=$PGBIN/createuser
+
+
+rm -fr $TESTDIR
+mkdir $TESTDIR
+cd $TESTDIR
+
+# create test environment
+echo -n "creating test environment..."
+$PGPOOL_SETUP -m s -n 2 || exit 1
+echo "done."
+
+source ./bashrc.ports
+
+#echo "enable_pool_hba = on" >> etc/pgpool.conf
+echo "allow_clear_text_frontend_auth = off" >> etc/pgpool.conf
+#set max_init_children to 1 to make sure we reuse the
+#connection to test wrong password rejection
+echo "num_init_children = 1" >> etc/pgpool.conf
+echo "enable_pool_hba = on" >> etc/pgpool.conf
+
+#create pool_passwd file
+echo "scram_user:scram_password" >> etc/pool_passwd
+echo "md5_user:md5_password" >> etc/pool_passwd
+#copy the pool_hba to etc dir
+cp ../pool_hba.conf etc/
+./startall
+
+export PGPORT=$PGPOOL_PORT
+wait_for_pgpool_startup
+
+#set passwords
+$PSQL -c "SET password_encryption = 'scram-sha-256'; CREATE ROLE scram_user PASSWORD 'scram_password'; ALTER ROLE scram_user WITH LOGIN;" test
+$PSQL -c "SET password_encryption = 'md5'; CREATE ROLE md5_user PASSWORD 'md5_password'; ALTER ROLE md5_user WITH LOGIN" test
+$PSQL -c "CREATE ROLE trust_user PASSWORD 'trust_password';ALTER ROLE trust_user WITH LOGIN" test
+
+
+if $PSQL -c "SELECT rolname,substring(rolpassword, 1, 14) FROM pg_authid where rolname ='scram_user'" test|grep "SCRAM-SHA-256" >/dev/null 2>&1
+then
+ echo "scram_user authenticated setup successfuly"
+else
+ echo "scram authentication setup failed"
+ failed=1
+fi
+if $PSQL -c "SELECT rolname,substring(rolpassword, 1, 4) FROM pg_authid where rolname ='md5_user'" test|grep "md5" >/dev/null 2>&1
+then
+ echo "md5 authenticated setup successfuly"
+else
+ echo "md5 authentication setup failed"
+ failed=1
+fi
+#create pgpass file
+echo "127.0.0.1:$PGPORT:test:scram_user:scram_password" >> pgpass
+echo "127.0.0.1:$PGPORT:test:md5_user:md5_password" >> pgpass
+chmod 0600 pgpass
+echo "127.0.0.1:$PGPORT:test:scram_user:scram_wrong_password" >> pgpasswrong
+echo "127.0.0.1:$PGPORT:test:md5_user:md5_wrong_password" >> pgpasswrong
+chmod 0600 pgpasswrong
+
+
+export PGPASSFILE=$PWD/pgpass
+
+if $PSQL -h 127.0.0.1 -U scram_user -c "SELECT user, inet_client_addr();" test|grep "scram_user" >/dev/null 2>&1
+then
+ echo "scram_user authenticated successfuly"
+else
+ echo "scram authentication failed"
+ failed=1
+fi
+
+if $PSQL -h 127.0.0.1 -U md5_user -c "SELECT user, inet_client_addr();" test|grep "md5_user" >/dev/null 2>&1
+then
+ echo "md5_user authenticated successfuly"
+else
+ echo "md5 authentication failed"
+ failed=1
+fi
+#now try using the wrong passwords1:
+export PGPASSFILE=$PWD/pgpasswrong
+echo "Trying wrong passwords now"
+#try connect using scram_user and md5 user
+if $PSQL -h 127.0.0.1 -U scram_user -c "SELECT user, inet_client_addr();" test|grep "scram_user" >/dev/null 2>&1
+then
+ failed=1
+ echo "serious problem with scram authentication, password not verified by pgpool"
+else
+ echo "wrong password rejected properly for scram auth"
+fi
+
+if $PSQL -h 127.0.0.1 -U md5_user -c "SELECT user, inet_client_addr();" test|grep "md5_user" >/dev/null 2>&1
+then
+ failed=1
+ echo "serious problem with md5 authentication, password not verified by pgpool"
+else
+ echo "wrong password rejected properly for md5 auth"
+fi
+
+./shutdownall
+if [ -z "$failed" ]; then
+ exit 0
+fi
+
+exit 1
--- /dev/null
+# pgpool Client Authentication Configuration File
+# ===============================================
+#
+# The format rule in this file follows the rules in the PostgreSQL
+# Administrator's Guide. Refer to chapter "Client Authentication" for a
+# complete description. A short synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which user names they can use, which databases they
+# can access. Records take one of these forms:
+#
+# local DATABASE USER METHOD [OPTION]
+# host DATABASE USER CIDR-ADDRESS METHOD [OPTION]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain
+# socket, "host" is either a plain or SSL-encrypted TCP/IP socket.
+#
+# DATABASE can be "all", "sameuser", a database name, or a comma-separated
+# list thereof. Note that "samegroup" like in PostgreSQL's pg_hba.conf
+# file is not supported, since pgpool does not know which group a user
+# belongs to. Also note that the database specified here may not exist in
+# the backend PostgreSQL. pgpool will authenticate based on the database's
+# name, not based on whether it exists or not.
+#
+# USER can be "all", a user name, or a comma-separated list thereof. In
+# both the DATABASE and USER fields you can also write a file name prefixed
+# with "@" to include names from a separate file. Note that a group name
+# prefixed with "+" like in PostgreSQL's pg_hba.conf file is not supported
+# because of the same reason as "samegroup" token. Also note that a user
+# name specified here may not exist in the backend PostgreSQL. pgpool will
+# authenticate based on the user's name, not based on whether he/she exists.
+#
+# CIDR-ADDRESS specifies the set of hosts the record matches.
+# It is made up of an IP address and a CIDR mask that is an integer
+# (between 0 and 32 (IPv4) that specifies the number of significant bits in
+# the mask. Alternatively, you can write an IP address and netmask in
+# separate columns to specify the set of hosts.
+#
+# METHOD can be "trust", "reject", "md5" , "scram-sha-256" or "pam".
+# Note that "pam" sends passwords in clear text.
+#
+# OPTION is the name of the PAM service. Default service name is "pgpool"
+#
+# Database and user names containing spaces, commas, quotes and other special
+# characters must be quoted. Quoting one of the keywords "all" or "sameuser"
+# makes the name lose its special character, and just match a database or
+# username with that name.
+#
+# This file is read on pgpool startup. If you edit the file on a running
+# system, you have to restart the pgpool for the changes to take effect.
+
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records. In that case you will also need to make pgpool listen
+# on a non-local interface via the listen_addresses configuration parameter.
+#
+
+# TYPE DATABASE USER CIDR-ADDRESS METHOD
+
+# "local" is for Unix domain socket connections only
+local all all trust
+# IPv4 local connections:
+host all md5_user 127.0.0.1/32 scram-sha-256
+host all md5_user ::1/128 scram-sha-256
+
+host all scram_user 127.0.0.1/32 md5
+host all scram_user ::1/128 md5
--- /dev/null
+#!/usr/bin/env bash
+#-------------------------------------------------------------------
+# test script for scram and md5 authentication
+# where password is stored in pool_passwd file and
+# frontend uses different auth from backends
+#
+source $TESTLIBS
+TESTDIR=testdir
+PSQL=$PGBIN/psql
+CREATEUSER=$PGBIN/createuser
+
+
+rm -fr $TESTDIR
+mkdir $TESTDIR
+cd $TESTDIR
+
+# create test environment
+echo -n "creating test environment..."
+$PGPOOL_SETUP -m s -n 2 || exit 1
+echo "done."
+
+source ./bashrc.ports
+
+#echo "enable_pool_hba = on" >> etc/pgpool.conf
+echo "allow_clear_text_frontend_auth = off" >> etc/pgpool.conf
+#set max_init_children to 1 to make sure we reuse the
+#connection to test wrong password rejection
+echo "num_init_children = 1" >> etc/pgpool.conf
+echo "enable_pool_hba = on" >> etc/pgpool.conf
+
+#create pool_passwd file
+echo "scram_user:scram_password" >> etc/pool_passwd
+echo "md5_user:md5_password" >> etc/pool_passwd
+#copy the pool_hba to etc dir
+cp ../pool_hba.conf etc/
+./startall
+
+export PGPORT=$PGPOOL_PORT
+wait_for_pgpool_startup
+
+#set passwords
+$PSQL -c "SET password_encryption = 'scram-sha-256'; CREATE ROLE scram_user PASSWORD 'scram_password'; ALTER ROLE scram_user WITH LOGIN;" test
+$PSQL -c "SET password_encryption = 'md5'; CREATE ROLE md5_user PASSWORD 'md5_password'; ALTER ROLE md5_user WITH LOGIN" test
+$PSQL -c "CREATE ROLE trust_user PASSWORD 'trust_password';ALTER ROLE trust_user WITH LOGIN" test
+
+
+if $PSQL -c "SELECT rolname,substring(rolpassword, 1, 14) FROM pg_authid where rolname ='scram_user'" test|grep "SCRAM-SHA-256" >/dev/null 2>&1
+then
+ echo "scram_user authenticated setup successfuly"
+else
+ echo "scram authentication setup failed"
+ failed=1
+fi
+if $PSQL -c "SELECT rolname,substring(rolpassword, 1, 4) FROM pg_authid where rolname ='md5_user'" test|grep "md5" >/dev/null 2>&1
+then
+ echo "md5 authenticated setup successfuly"
+else
+ echo "md5 authentication setup failed"
+ failed=1
+fi
+#create pgpass file
+echo "127.0.0.1:$PGPORT:test:scram_user:scram_password" >> pgpass
+echo "127.0.0.1:$PGPORT:test:md5_user:md5_password" >> pgpass
+chmod 0600 pgpass
+echo "127.0.0.1:$PGPORT:test:scram_user:scram_wrong_password" >> pgpasswrong
+echo "127.0.0.1:$PGPORT:test:md5_user:md5_wrong_password" >> pgpasswrong
+chmod 0600 pgpasswrong
+
+
+export PGPASSFILE=$PWD/pgpass
+
+if $PSQL -h 127.0.0.1 -U scram_user -c "SELECT user, inet_client_addr();" test|grep "scram_user" >/dev/null 2>&1
+then
+ echo "scram_user authenticated successfuly"
+else
+ echo "scram authentication failed"
+ failed=1
+fi
+
+if $PSQL -h 127.0.0.1 -U md5_user -c "SELECT user, inet_client_addr();" test|grep "md5_user" >/dev/null 2>&1
+then
+ echo "md5_user authenticated successfuly"
+else
+ echo "md5 authentication failed"
+ failed=1
+fi
+#now try using the wrong passwords1:
+export PGPASSFILE=$PWD/pgpasswrong
+echo "Trying wrong passwords now"
+#try connect using scram_user and md5 user
+if $PSQL -h 127.0.0.1 -U scram_user -c "SELECT user, inet_client_addr();" test|grep "scram_user" >/dev/null 2>&1
+then
+ failed=1
+ echo "serious problem with scram authentication, password not verified by pgpool"
+else
+ echo "wrong password rejected properly for scram auth"
+fi
+
+if $PSQL -h 127.0.0.1 -U md5_user -c "SELECT user, inet_client_addr();" test|grep "md5_user" >/dev/null 2>&1
+then
+ failed=1
+ echo "serious problem with md5 authentication, password not verified by pgpool"
+else
+ echo "wrong password rejected properly for md5 auth"
+fi
+
+./shutdownall
+if [ -z "$failed" ]; then
+ exit 0
+fi
+
+exit 1
projects / pgpool2.git / commitdiff