<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Thank you Tatsuo, you have been very helpful!<br><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">I also think it would be a good idea, if the part of your reply about the authentication flow<br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">was added to the manual at the section "Authentication / Access Controls" because it <br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">answers (at least for newcomers) some of the common security-related worries.<br></div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Thanks again, and congratulations on the great work!<br></div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 11, 2015 at 3:38 AM, Tatsuo Ishii <span dir="ltr"><<a href="mailto:ishii@postgresql.org" target="_blank">ishii@postgresql.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Michail,<br>
<br>
Welcome to the pgpool-II world!<br>
<div><div class="h5"><br>
> Hello list,<br>
><br>
> First, i am a complete newbie to pgpool, so please forgive any<br>
> misunderstandings i may have. I am experimenting with pgpool in order to<br>
> use it in front of a master/standy postgresql cluster (streaming<br>
> replication) as the only connection endpoint for several web applications.<br>
> I have installed (via APT) pgpool2 3.1.3-5.<br>
><br>
> I was trying to understand the authentication workflow (and in particular<br>
> how pool_hba works). I guessed that pool_hba is there to authenticate<br>
> client connections before (re)using an already authenticated connection<br>
> from the connection pool (to one of the backends).<br>
><br>
> I use the following settings:<br>
> enable_pool_hba = on<br>
> pool_passwd = 'pool_passwd'<br>
><br>
> I populated pool_passwd (owned by postgres, 0600) using pg_md5 as described<br>
> at the official manual:<br>
> pg_md5 --md5auth -p -u tester -f /etc/pgpool2/pgpool.conf<br>
> and it;s contents are now:<br>
> tester:md5c3271fc99b3e8cada6aa9d8b8f0d0938<br>
><br>
> I have a pool_hba.conf file with an entry (let <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> be the<br>
> network from where applications connect to pgpool):<br>
> host all all <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> md5<br>
><br>
> The backend's (only 1 for the time) pg_hba.conf is configured to trust<br>
> (method:trust) connections from user "tester" originating from pgpool's<br>
> host.<br>
><br>
> So, i'd expect that when trying to connect to pgpool (e.g. with psql), i<br>
> would have been forced to authenticate against pool_passwd's entries, but<br>
> instead i passed without a prompt (just like connecting directly to the<br>
> backend). Is this the normal behavior?<br>
<br>
</div></div>Yes. pgpool-II first asks backends if md5 auth is required or not. If<br>
required, pgpool-II asks md5 auth to frontend. In other word, if the<br>
backends do not require md5 auth, trust auth is used.<br>
<span class=""><br>
> More generally, i was curious on how exactly are clients authenticated and<br>
> mapped to (opened?) connection slots from the pool?<br>
<br>
</span>Each connection request from frontend is associated with user name and<br>
database name. pgpool-II also remembers opened connection's user name<br>
and database name. So pgpool-II can easily maps an incoming connection<br>
request to already opened connections (if any). In md5 auth case,<br>
pgpool-II also memories hashed password for the opened connection. So<br>
pgpool-II does the auth work without asking backends.<br>
<span class=""><br>
> Thanks for your time!<br>
><br>
> Michail Alexakis,<br>
> Software engineer, RC "Athena", Athens, Greece<br>
<br>
</span>Best regards,<br>
--<br>
Tatsuo Ishii<br>
SRA OSS, Inc. Japan<br>
English: <a href="http://www.sraoss.co.jp/index_en.php" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
Japanese:<a href="http://www.sraoss.co.jp" target="_blank">http://www.sraoss.co.jp</a><br>
</blockquote></div><br></div>