Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need to improve documentation how to correctly configure to use one user to auth others #756

Open
garry-t opened this issue Jun 20, 2024 · 1 comment
Open

Need to improve documentation how to correctly configure to use one user to auth others #756

garry-t opened this issue Jun 20, 2024 · 1 comment

Comments

@garry-t
Copy link

garry-t commented Jun 20, 2024

Describe the bug
It is not clear how to achieve same behaviour as we have in pgbouncer when we avoid hardcode all db user to config and instead use auth query and auth user to check password and user name from db side. I read docs multiple times for pgcat and struggled to made it work

To Reproduce
Steps to reproduce the behavior:

  1. Set config
[general]
host = "0.0.0.0"
port = 6433
[pools.staging]
pool_mode = "transaction"
default_role = "primary"
prepared_statements_cache_size = 0
query_parser_enabled = false
primary_reads_enabled = true

[pools.staging.users.0]
username = "pgbouncer" # user which check pg_shadow no? 
password = "pass"
# same if we use server_username and server_password.
pool_size = 50
statement_timeout = 0


[pools.staging.shards.0]
servers = [
  ["127.0.0.1", 5432, "primary"]
]
database = "staging"
auth_query = "SELECT usename, passwd FROM user_search($1)"
auth_query_user = "pgbouncer" # duplicate it here since not clear 
auth_query_password = "pass"
  1. Run command to test connection psql -h 127.0.0.1 -p 6433 -U test_staging_rw staging

Expected behavior
pgcat takes user name and password from connection string, connect to db with a separate user and check in pg_shadow provided user and password from connection string.

Screenshots
not relevant

Desktop (please complete the following information):
not relevant

Smartphone (please complete the following information):
not relevant

Additional context
so far error but with WARN severity ))

WARN ThreadId(16) pgcat: Client disconnected with error ClientSocketError("password code", ClientIdentifier { application_name: "psql", username: "test_staging_rw", pool_name: "staging" })
 WARN ThreadId(15) pgcat: Client disconnected with error ClientGeneralError("Invalid pool name", ClientIdentifier { application_name: "psql", username: "test_staging_rw", pool_name: "staging" })
@drdrsh
Copy link
Collaborator

drdrsh commented Aug 31, 2024
edited
Loading

I dug a bit into this so there are a few things needed to make this work, I highlighted them in comments on the suggested config

FIrst, you need to have your auth query settings directly under the pool settings not under [pools.pool_name.users] nor under [pools.pool_name.shards]

[pools.pool_name]
# Be sure that this view exists and you have single quotes around the placeholder $1
auth_query = "SELECT usename, passwd FROM user_search('$1')" 

# Be sure to grant this user LOGIN on Postgres
auth_query_user = "auth_user" 

auth_query_password = "auth_user_password"

[pools.pool_name.users.0]
# Auth passthru only works if this user's password is hashed in md5 
# (It won't work with SCRAM-SHA-256 today)
# the user also needs to be granted LOGIN
username="targeted_user"
# password= <no password is necessary here>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@drdrsh @garry-t