From 6c07f428200042b38bf9c17f74a70c657ace65af Mon Sep 17 00:00:00 2001 From: Muhammad Usama Date: Wed, 2 May 2018 13:57:36 +0500 Subject: [PATCH] Add new Pgpool-II config parameter allow_clear_text_frontend_auth allow_clear_text_frontend_auth allows Pgpool-II to use clear text password authentication with front-end clients, when pool_passwd file does not contain the password for connecting user while the backend asks for MD5 or SCRAM type authentication. allow_clear_text_frontend_auth only works when pool_hba is not enabled --- src/auth/pool_auth.c | 18 ++++++++++-------- src/config/pool_config_variables.c | 9 +++++++++ src/include/pool_config.h | 8 +++++++- src/sample/pgpool.conf.sample | 6 ++++++ src/sample/pgpool.conf.sample-logical | 5 +++++ src/sample/pgpool.conf.sample-master-slave | 5 +++++ src/sample/pgpool.conf.sample-replication | 5 +++++ src/sample/pgpool.conf.sample-stream | 5 +++++ src/utils/pool_process_reporting.c | 5 +++++ src/watchdog/watchdog.c | 1 + src/watchdog/wd_json_data.c | 3 +++ 11 files changed, 61 insertions(+), 9 deletions(-) diff --git a/src/auth/pool_auth.c b/src/auth/pool_auth.c index 5b15200da..4e1fb3c79 100644 --- a/src/auth/pool_auth.c +++ b/src/auth/pool_auth.c @@ -254,11 +254,12 @@ int pool_do_auth(POOL_CONNECTION *frontend, POOL_CONNECTION_POOL *cp) * we can still get the password from client using plain text authentication * if it is allowed by user */ - if (frontend->pool_hba == NULL /*&& config allows */) + if (frontend->pool_hba == NULL && pool_config->allow_clear_text_frontend_auth) { ereport(LOG, - (errmsg("usign clear text authentication with frontend"), - errdetail("backend will still use md5 auth"))); + (errmsg("using clear text authentication with frontend"), + errdetail("backend will still use md5 auth"), + errhint("you can disable this behavior by setting allow_clear_text_frontend_auth to off"))); authenticate_frontend_clear_text(frontend); /* now check again if we have a password now */ if (get_auth_password(MASTER(cp), frontend, 0, @@ -275,7 +276,7 @@ int pool_do_auth(POOL_CONNECTION *frontend, POOL_CONNECTION_POOL *cp) { ereport(ERROR, (errmsg("failed to authenticate with backend using md5"), - errdetail("password type is not valid"))); + errdetail("valid password not found"))); } } @@ -314,11 +315,12 @@ int pool_do_auth(POOL_CONNECTION *frontend, POOL_CONNECTION_POOL *cp) * we can still get the password from client using plain text authentication * if it is allowed by user */ - if (frontend->pool_hba == NULL /*&& config allows */) + if (frontend->pool_hba == NULL && pool_config->allow_clear_text_frontend_auth) { ereport(LOG, - (errmsg("usign clear text authentication with frontend"), - errdetail("backend will still use SCRAM auth"))); + (errmsg("using clear text authentication with frontend"), + errdetail("backend will still use SCRAM auth"), + errhint("you can disable this behavior by setting allow_clear_text_frontend_auth to off"))); authenticate_frontend_clear_text(frontend); /* now check again if we have a password now */ if (get_auth_password(MASTER(cp), frontend, 0, @@ -335,7 +337,7 @@ int pool_do_auth(POOL_CONNECTION *frontend, POOL_CONNECTION_POOL *cp) { ereport(ERROR, (errmsg("failed to authenticate with backend using SCRAM"), - errdetail("password type is not valid"))); + errdetail("valid password not "))); } for (i=0;i 0), the client is forced to be - *disconnected after n seconds idle */ + * disconnected after n seconds idle */ + bool allow_clear_text_frontend_auth; + /* enable Pgpool-II to use clear text password authentication + * between Pgpool and client to get the password + * when password for user does not exist in pool_password + * file. + */ int authentication_timeout; /* maximum time in seconds to complete client authentication */ int max_pool; /* max # of connection pool per child */ char *logdir; /* logging directory */ diff --git a/src/sample/pgpool.conf.sample b/src/sample/pgpool.conf.sample index 1c5efc448..6b66cfbbc 100644 --- a/src/sample/pgpool.conf.sample +++ b/src/sample/pgpool.conf.sample @@ -91,6 +91,12 @@ authentication_timeout = 60 # Delay in seconds to complete client authentication # 0 means no timeout. +allow_clear_text_frontend_auth = off + # Allow Pgpool-II to use clear text password authentication + # with clients, when pool_passwd does not + # contain the user password + + # - SSL Connections - ssl = off diff --git a/src/sample/pgpool.conf.sample-logical b/src/sample/pgpool.conf.sample-logical index 7c5f67d04..a7da9a15e 100644 --- a/src/sample/pgpool.conf.sample-logical +++ b/src/sample/pgpool.conf.sample-logical @@ -92,6 +92,11 @@ authentication_timeout = 60 # Delay in seconds to complete client authentication # 0 means no timeout. +allow_clear_text_frontend_auth = off + # Allow Pgpool-II to use clear text password authentication + # with clients, when pool_passwd does not + # contain the user password + # - SSL Connections - ssl = off diff --git a/src/sample/pgpool.conf.sample-master-slave b/src/sample/pgpool.conf.sample-master-slave index 4807b4780..07c1c0b8a 100644 --- a/src/sample/pgpool.conf.sample-master-slave +++ b/src/sample/pgpool.conf.sample-master-slave @@ -91,6 +91,11 @@ authentication_timeout = 60 # Delay in seconds to complete client authentication # 0 means no timeout. +allow_clear_text_frontend_auth = off + # Allow Pgpool-II to use clear text password authentication + # with clients, when pool_passwd does not + # contain the user password + # - SSL Connections - ssl = off diff --git a/src/sample/pgpool.conf.sample-replication b/src/sample/pgpool.conf.sample-replication index 64d69c36e..88612f0a6 100644 --- a/src/sample/pgpool.conf.sample-replication +++ b/src/sample/pgpool.conf.sample-replication @@ -90,6 +90,11 @@ authentication_timeout = 60 # Delay in seconds to complete client authentication # 0 means no timeout. +allow_clear_text_frontend_auth = off + # Allow Pgpool-II to use clear text password authentication + # with clients, when pool_passwd does not + # contain the user password + # - SSL Connections - ssl = off diff --git a/src/sample/pgpool.conf.sample-stream b/src/sample/pgpool.conf.sample-stream index d752b1745..7e50c9e08 100644 --- a/src/sample/pgpool.conf.sample-stream +++ b/src/sample/pgpool.conf.sample-stream @@ -92,6 +92,11 @@ authentication_timeout = 60 # Delay in seconds to complete client authentication # 0 means no timeout. +allow_clear_text_frontend_auth = off + # Allow Pgpool-II to use clear text password authentication + # with clients, when pool_passwd does not + # contain the user password + # - SSL Connections - ssl = off diff --git a/src/utils/pool_process_reporting.c b/src/utils/pool_process_reporting.c index cb3d18f36..48416637b 100644 --- a/src/utils/pool_process_reporting.c +++ b/src/utils/pool_process_reporting.c @@ -213,6 +213,11 @@ POOL_REPORT_CONFIG* get_config(int *nrows) StrNCpy(status[i].desc, "maximum time in seconds to complete client authentication", POOLCONFIG_MAXNAMELEN); i++; + StrNCpy(status[i].name, "allow_clear_text_frontend_auth", POOLCONFIG_MAXNAMELEN); + snprintf(status[i].value, POOLCONFIG_MAXVALLEN, "%d", pool_config->allow_clear_text_frontend_auth); + StrNCpy(status[i].desc, "allow to use clear text password auth when pool_passwd does not contain password", POOLCONFIG_MAXDESCLEN); + i++; + /* - SSL Connections - */ StrNCpy(status[i].name, "ssl", POOLCONFIG_MAXNAMELEN); snprintf(status[i].value, POOLCONFIG_MAXVALLEN, "%d", pool_config->ssl); diff --git a/src/watchdog/watchdog.c b/src/watchdog/watchdog.c index 08f5a09a7..4ee6ee51a 100644 --- a/src/watchdog/watchdog.c +++ b/src/watchdog/watchdog.c @@ -6372,6 +6372,7 @@ static void verify_pool_configurations(WatchdogNode* wdNode, POOL_CONFIG* config WD_VERIFY_RECEIVED_CONFIG_PARAMETER_VAL_BOOL(config, wdNode, enable_pool_hba); WD_VERIFY_RECEIVED_CONFIG_PARAMETER_VAL_BOOL(config, wdNode, load_balance_mode); WD_VERIFY_RECEIVED_CONFIG_PARAMETER_VAL_BOOL(config, wdNode, replication_stop_on_mismatch); + WD_VERIFY_RECEIVED_CONFIG_PARAMETER_VAL_BOOL(config, wdNode, allow_clear_text_frontend_auth); WD_VERIFY_RECEIVED_CONFIG_PARAMETER_VAL_BOOL(config, wdNode, failover_if_affected_tuples_mismatch); WD_VERIFY_RECEIVED_CONFIG_PARAMETER_VAL_BOOL(config, wdNode, fail_over_on_backend_error); WD_VERIFY_RECEIVED_CONFIG_PARAMETER_VAL_BOOL(config, wdNode, replicate_select); diff --git a/src/watchdog/wd_json_data.c b/src/watchdog/wd_json_data.c index 58465c496..328191d7d 100644 --- a/src/watchdog/wd_json_data.c +++ b/src/watchdog/wd_json_data.c @@ -68,6 +68,8 @@ POOL_CONFIG* get_pool_config_from_json(char* json_data, int data_len) goto ERROR_EXIT; if (json_get_bool_value_for_key(root, "replication_stop_on_mismatch", &config->replication_stop_on_mismatch)) goto ERROR_EXIT; + if (json_get_bool_value_for_key(root, "allow_clear_text_frontend_auth", &config->allow_clear_text_frontend_auth)) + goto ERROR_EXIT; if (json_get_bool_value_for_key(root, "failover_if_affected_tuples_mismatch", &config->failover_if_affected_tuples_mismatch)) goto ERROR_EXIT; if (json_get_bool_value_for_key(root, "replicate_select", &config->replicate_select)) @@ -181,6 +183,7 @@ char* get_pool_config_json(void) jw_put_bool(jNode, "replication_mode", pool_config->replication_mode); jw_put_bool(jNode, "enable_pool_hba", pool_config->enable_pool_hba); jw_put_int(jNode, "load_balance_mode", pool_config->load_balance_mode); + jw_put_bool(jNode, "allow_clear_text_frontend_auth", pool_config->allow_clear_text_frontend_auth); jw_put_bool(jNode, "replication_stop_on_mismatch", pool_config->replication_stop_on_mismatch); jw_put_bool(jNode, "failover_if_affected_tuples_mismatch", pool_config->failover_if_affected_tuples_mismatch); jw_put_bool(jNode, "replicate_select", pool_config->replicate_select); -- 2.39.5