<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Fri, Aug 24, 2018 at 10:34 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp">ishii@sraoss.co.jp</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> Here are items we need to resolve before going to alpha2.<br>
> <br>
> 1) 0000425: pgpool_setup don't work with pre PostgreSQL 10.<br>
> - <a href="https://www.pgpool.net/mantisbt/view.php?id=425" rel="noreferrer" target="_blank">https://www.pgpool.net/mantisbt/view.php?id=425</a><br>
> - Tatsuo already pushed fix. Let's see if buildfarm complains.<br>
> <br>
> 2) 0000426: Pgpool-II contines to emit warning messages<br>
> - <a href="https://www.pgpool.net/mantisbt/view.php?id=426" rel="noreferrer" target="_blank">https://www.pgpool.net/mantisbt/view.php?id=426</a><br>
<br>
I have looked into this a little bit. It turns out that the<br>
specification for all "password" entries (health check streaming<br>
replication delay check, at least) in the pgpool.conf has been changed<br>
since 4.0. From the 4.0 manual:<br>
<br>
-------------------------------------------------------------------------<br>
If health_check_password is left blank Pgpool-II will first try to<br>
get the password for health_check_user from pool_passwd file before<br>
using the empty password.<br>
<br>
You can also specify AES256-CBC encrypted password in<br>
health_check_password field. To specify the AES encrypted password,<br>
password string must be prefixed with AES after encrypting (using<br>
aes-256-cbc algorithm) and encoding to base64.<br>
-------------------------------------------------------------------------<br>
<br>
Since pgpool_setup left password blank (actually not blank, but empty<br>
string), Pgpool-II tries to retrieve health_check_user, for example,<br>
from pool_passwd. But since pool_enable_hba = off, no entry for the<br>
user found in pgpool_passwd. I think this behavior is strange, since<br>
pool_passwd should only be consulted when pool_enable_hba is on.<br></blockquote><div><br></div><div>Yes as part of SCRAM feature I try to solve all unsecure password storages</div><div>by Pgpool-II, and for that I think the pool_passwd file is the best option instead</div><div>of using a new file. Because we can continue to evolve the pool_passwd in future</div><div>and as a result every module in Pgpool-II that uses the password will benefit from it.</div><div><br></div><div>Is there any specific reason why we want to disable pool_passwd consulting when</div><div>pool_enable_hba is off ?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Also I have to point out "password string must be prefixed with AES<br>
after encrypting" is questionable spec. Since people could enter any<br>
clear text password including prefixed with AES, there's no way to<br>
determine if it is a clear text password or AES encrypted. If we want<br>
to store AES encrypted password, then there should be a configuration<br>
parameter which specifies the password format (encrypted in AES or<br>
not).<br>
<br>
Without the flag, the design looks too hacky.<br></blockquote><div><br></div><div>Yes thats a valid point, and I think we can have two options if we want to allow</div><div>text passwords in pool_passwd. </div><div><br></div><div>1- Use TEXT prefix for text password similarly to AES and MD5</div><div>2- Use escape character to escape AES and MD5 prefixes.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Note that I pointed out similar thing regarding pool_passwd. I<br>
objected to include clear text password in pool_passwd for the same<br>
reason above.<br></blockquote><div><br></div><div>Yes we can disallow storing the clear text passwords in pool_passwd but I think as long</div><div>as we allow the encrypted passwords in the pool_passwd its no harm to a allow text passwords.</div><div><br></div><div>Thanks</div><div>Best Regards</div><div>Muhammad Usama</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
> 3) 0000427: pg_enc emits wrong warnings<br>
> - <a href="https://www.pgpool.net/mantisbt/view.php?id=427" rel="noreferrer" target="_blank">https://www.pgpool.net/mantisbt/view.php?id=427</a><br>
> <br>
> 4) Covery errors (mostly memory leaks)<br>
> - Usama is working on it.<br>
> <br>
> 5) Clear text password should not be allowed in pool_passwd<br>
> <a href="https://www.pgpool.net/pipermail/pgpool-hackers/2018-August/002979.html" rel="noreferrer" target="_blank">https://www.pgpool.net/pipermail/pgpool-hackers/2018-August/002979.html</a><br>
> <br>
> 6) Cert auth does not work between client and Pgpool-II<br>
> <a href="https://www.pgpool.net/pipermail/pgpool-hackers/2018-August/002983.html" rel="noreferrer" target="_blank">https://www.pgpool.net/pipermail/pgpool-hackers/2018-August/002983.html</a><br>
> <br>
> Please add items if I missed something.<br>
> --<br>
> Tatsuo Ishii<br>
> SRA OSS, Inc. Japan<br>
> English: <a href="http://www.sraoss.co.jp/index_en.php" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
> Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
> _______________________________________________<br>
> pgpool-hackers mailing list<br>
> <a href="mailto:pgpool-hackers@pgpool.net" target="_blank">pgpool-hackers@pgpool.net</a><br>
> <a href="http://www.pgpool.net/mailman/listinfo/pgpool-hackers" rel="noreferrer" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-hackers</a><br>
_______________________________________________<br>
pgpool-hackers mailing list<br>
<a href="mailto:pgpool-hackers@pgpool.net" target="_blank">pgpool-hackers@pgpool.net</a><br>
<a href="http://www.pgpool.net/mailman/listinfo/pgpool-hackers" rel="noreferrer" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-hackers</a><br>
</blockquote></div></div>