repmgr icon indicating copy to clipboard operation
repmgr copied to clipboard

Published 20 hours ago verified publisher icon EnterpriseDB

Password less authentication for repmgrd process

Open siva-postgres opened this issue 2 years ago • 3 comments

Hi, I'll be looking for secure authentication for Postgres where i should not use .pgpass or trust authentication method.

I have come across a issue during Standby switchover, where the switchover command internally executing "ssh -o Batchmode=yes -p 222 master /usr/pgsql-11/bin/repmgr -f repmgr_5432.conf node check --db-connection"

Primary Server = master standby server = secondary

-1-postgres@secondary:~ $ ./switchover
NOTICE: using provided configuration file "repmgr_5432.conf"
NOTICE: executing switchover on node "master" (ID: 2)
INFO: searching for primary node
INFO: checking if node 1 is primary
INFO: current primary node is 1
INFO: SSH connection to host "master" succeeded
DETAIL: an error was encountered when attempting to connect to PostgreSQL on node "master" (ID: 1)
HINT: diagnose with:
  ssh -o Batchmode=yes -p 222 master /usr/pgsql-11/bin/repmgr -f repmgr_5432.conf node check --db-connection

-1-postgres@secondary:~ $ ssh -o Batchmode=yes -p 222 master /usr/pgsql-11/bin/repmgr -f repmgr_5432.conf node check --db-connection
ERROR: connection to database failed
DETAIL: 
fe_sendauth: no password supplied

CRITICAL (connection parameters used: user=repmgr passfile=/var/lib/pgsql/.pgpass connect_timeout=3 dbname=repmgr host=master port=5321 options=-csearch_path= application_name=repmgrd fallback_application_name=repmgr sslmode=require sslcompression=0 krbsrvname=postgres target_session_attrs=any)

Details: i'll be using a script to fetch password from remote server instead of storing in the local node, i.e no .pgpass or trust method. if i do export PGPASSWORD="xxx" and run the command(/usr/pgsql-11/bin/repmgr -f repmgr_5432.conf node check --db-connection) manually in the primary, its perfectly working.

Requirements:

  1. is there any way we can fetch password first or provisioning of fetching password fetch in repmgr and check connection to the database. i.e Example: if i do switchover, repmgr does ssh to the primary server, fetch password, check health connection...?,

  2. Do we have possibility of using or integrating some third party password fetch tools(without using .pgpass or trust method, Currently i am doing export PGPASSWORD=xxx and executing repmgrd everytime) and allowing repmgrd to connect to the database for monitoring.

Thank you Very much for the support.

Siva

siva-postgres avatar Mar 08 '22 16:03 siva-postgres

@ibarwick , Could you please help with your thoughts or recommendations.

Thank you in Advance.

siva-postgres avatar Mar 16 '22 15:03 siva-postgres

@ibarwick , Could you please help ...

Thank you in Advance.

siva-postgres avatar Apr 05 '22 06:04 siva-postgres

Hi, I'll be looking for secure authentication for Postgres where i should not use .pgpass or trust authentication method.

(...)

Requirements:

  1. is there any way we can fetch password first or provisioning of fetching password fetch in repmgr and check connection to the database. i.e Example: if i do switchover, repmgr does ssh to the primary server, fetch password, check health connection...?,

repmgr doesn't support anything like that.

  1. Do we have possibility of using or integrating some third party password fetch tools(without using .pgpass or trust method,

Currently there is no support for anything like that, and no plans to add such support.

For general reference, the documentation section on password usage:

https://repmgr.org/docs/current/configuration-password-management.html

ibarwick avatar May 12 '22 02:05 ibarwick