Add support for auth_query based authentication to mirrored servers #896
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
joshcurtis
commented
Dec 31, 2024
| @@ -24,7 +24,7 @@ services: | |||
| POSTGRES_USER: postgres | |||
| POSTGRES_DB: postgres | |||
| POSTGRES_PASSWORD: postgres | |||
| POSTGRES_INITDB_ARGS: --auth-local=scram-sha-256 --auth-host=scram-sha-256 --auth=scram-sha-256 | |||
| POSTGRES_INITDB_ARGS: --auth-local=md5 --auth-host=md5 --auth=md5 | |||
There was a problem hiding this comment.
I had a problem where the connection silently failed if scram authentication was used. I tried and failed to reproduce by playing around with some of the tests in auth_query_spec.rb, so it might be a problem unique to the config I was using?
Auth query not working with scram authentication might be a known issue? I ran across some problems that might be similar in the discord. I'm a bit fuzzy on how this all works so it could be unrelated
message from postgresml discord:
I tried SCRAM-SHA-256 in password encoding, the auth_query failed to work.
pgcat failed with error below"2023-09-07T09:01:37.352504Z ERROR pgcat:
Pool error: ServerAuthError("SASL auth required and no password specified.
Auth passthrough (auth_query) method is currently unsupported for SASL auth", ServerIdentifier { username: "pgcatdb", database: "pgcatdb" }) ".
SCRAM is required for FIPS.
Any planning to support SCRAM for auth_query?
joshcurtis
changed the title
The change itself is fairly simple, just piping the auth_hash object to the mirror server pool. The test was created by putting aping existing tests in mirror_spec.rb and auth_query_spec.rb. I also updated the auth of the mirror instance to md5, since the connection failed silently when scram-sha-256 was used.
joshcurtis
force-pushed
the
add_auth_hash_support_in_mirrors
branch
from
7d1cab2 to
a8b5501
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The change itself is fairly simple, just piping the auth_hash object to the mirror server pool.
The test was created by putting aping existing tests in mirror_spec.rb and auth_query_spec.rb.
I also updated the auth of the mirror instance to md5, since the connection failed silently when scram-sha-256 was used.