[Pacemaker] postgresql RA problem [SOLVED]

E-Blokos infos at e-blokos.com
Mon Sep 21 16:08:47 UTC 2009


----- Original Message ----- 
From: "Serge Dubrouski" <sergeyfd at gmail.com>
To: <pacemaker at clusterlabs.org>
Sent: Sunday, September 20, 2009 9:22 PM
Subject: Re: [Pacemaker] postgresql RA problem [SOLVED]


Ok. I reviewed what was changed and I'm afraid that these changes are
no good. Using PGPASSWORD variable isn't recommended because it's
considered as insecure. Putting DBA password into pacemaker
configuration brings even more security issues. .pgpass file shall be
used instead when password authentication required. See PostgreSQL
documentation.

Then this line:

: ${OCF_RESKEY_psql=/usr/bin/psq}

doesn't make seance since. I don;t think that psql was renamed to psq.

Changing runasowner function to

runasowner() {
        su $OCF_RESKEY_pgdba
        export PGPASSWORD=$OCF_RESKEY_pwd
        su $OCF_RESKEY_pgdba -c "$*"
}

completely breaks it since first su command starts shell and leaves
user there at the command prompt .

Have you tested your changes?

On Sun, Sep 20, 2009 at 8:54 AM, Serge Dubrouski <sergeyfd at gmail.com> wrote:
> Can you provide your change as a diff patch?
>
> On Sat, Sep 19, 2009 at 11:22 PM, E-Blokos <infos at e-blokos.com> wrote:
>> For whos are interested to have more password security with Postgresql
>> until now the RA didn't work if db user in pg_hba.conf was set on other 
>> than
>> "trust",
>> otherwise psql command always ask password prompt, which break the RA
>> script.
>> So I updated the PGSQL RA to use pgsql with more security.
>>
>> Regards
>>
>> Franck Chionna
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> _______________________________________________
>> Pacemaker mailing list
>> Pacemaker at oss.clusterlabs.org
>> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>>
>>
>
>
>
> --
> Serge Dubrouski.
>
---------------------

Hi,

> : ${OCF_RESKEY_psql=/usr/bin/psq}
sorry it was a typo..
yes I tested it and works fine.
I agree that it's not high secure to set a pwd in a RA script
but is "trust" in pg_hba.conf for postgres user more secure ?

I thought after to put a .pgpass but for me it's enough secure as this.

>runasowner() {
>        su $OCF_RESKEY_pgdba
>        export PGPASSWORD=$OCF_RESKEY_pwd
>        su $OCF_RESKEY_pgdba -c "$*"
>}

>completely breaks it since first su command starts shell and leaves
>user there at the command prompt .

Sorry I'm not I never dev really in bash.... ;)
maybe like is it better ?

runasowner() {
        su $OCF_RESKEY_pgdba -c "(export PGPASSWORD=$OCF_RESKEY_pwd &); ($*
&)"
}

Thanks

Franck Chionna 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





More information about the Pacemaker mailing list