Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pgbouncer authentication - FATAL: Peer authentication failed for user #507

Closed
chuegel opened this issue Nov 18, 2023 · 2 comments
Closed

pgbouncer authentication - FATAL: Peer authentication failed for user #507

chuegel opened this issue Nov 18, 2023 · 2 comments
Assignees
@vitabaks
Labels
bug Something isn't working

Comments

@chuegel
Copy link
Contributor

chuegel commented Nov 18, 2023

I just installed a clean 3 node cluster with haproxy/keepalived/etcd/pgbouncer and 1 pgbackrest repo.
The playbook finished without any errors.
However, after creating a database:

CREATE DATABASE test;
CREATE USER test WITH ENCRYPTED PASSWORD 'test';
GRANT ALL PRIVILEGES ON DATABASE test TO test;

I'm unable to connect to the DB

psql -U test -h 192.168.100.78 -p 5000 -d test
Password for user test:
psql: error: connection to server at "192.168.100.78", port 5000 failed: FATAL:  Peer authentication failed for user "test"

192.168.100.78 is the cluster VIP

Other config options in main.yml pretty much remained the same

# (optional) list of users to be created (if not already exists)
postgresql_users:
  - { name: "{{ pgbouncer_auth_username }}", password: "{{ pgbouncer_auth_password }}", flags: "LOGIN", role: "" }
#  - { name: "monitoring_auth_username", password: "monitoring_user_password", flags: "LOGIN", role: "pg_monitor" } # monitoring Service Account
#  - { name: "mydb-user", password: "mydb-user-pass", flags: "SUPERUSER" }
#  - { name: "", password: "", flags: "NOSUPERUSER" }
#  - { name: "", password: "", flags: "NOSUPERUSER" }
#  - { name: "", password: "", flags: "NOLOGIN" }

# PgBouncer parameters
pgbouncer_install: true  # or 'false' if you do not want to install and configure the pgbouncer service
pgbouncer_processes: 1  # Number of pgbouncer processes to be used. Multiple processes use the so_reuseport option for better performance.
pgbouncer_conf_dir: "/etc/pgbouncer"
pgbouncer_log_dir: "/var/log/pgbouncer"
pgbouncer_listen_addr: "0.0.0.0"
pgbouncer_listen_port: 6432
pgbouncer_max_client_conn: 10000
pgbouncer_max_db_connections: 1000
pgbouncer_max_prepared_statements: 1024
pgbouncer_default_pool_size: 20
pgbouncer_query_wait_timeout: 120
pgbouncer_default_pool_mode: "session"
pgbouncer_admin_users: "{{ patroni_superuser_username }}"  # comma-separated list of users, who are allowed to change settings
pgbouncer_stats_users: "{{ patroni_superuser_username }}"  # comma-separated list of users who are just allowed to use SHOW command
pgbouncer_ignore_startup_parameters: "extra_float_digits,geqo,search_path"
pgbouncer_auth_type: "{{ postgresql_password_encryption_algorithm }}"
pgbouncer_auth_user: true # or 'false' if you want to manage the list of users for authentication in the database via userlist.txt
pgbouncer_auth_username: pgbouncer # user who can query the database via the user_search function
pgbouncer_auth_password: "pgbouncer-pass" # please change password
pgbouncer_auth_dbname: "postgres"

postgresql_pg_hba:
  - { type: "local", database: "all", user: "{{ patroni_superuser_username }}", address: "", method: "trust" }
  - { type: "local", database: "all", user: "{{ pgbouncer_auth_username }}", address: "", method: "trust" } # required for pgbouncer auth_user
  - { type: "local", database: "replication", user: "{{ patroni_superuser_username }}", address: "", method: "trust" }
  - { type: "local", database: "all", user: "all", address: "", method: "peer" }
  - { type: "host", database: "all", user: "all", address: "127.0.0.1/32", method: "{{ postgresql_password_encryption_algorithm }}" }
  - { type: "host", database: "all", user: "all", address: "::1/128", method: "{{ postgresql_password_encryption_algorithm }}" }
#  - { type: "host", database: "mydatabase", user: "mydb-user", address: "192.168.0.0/24", method: "{{ postgresql_password_encryption_algorithm }}" }
#  - { type: "host", database: "all", user: "all", address: "192.168.0.0/24", method: "ident", options: "map=main" }  # use pg_ident

The search function is present:

postgres=# \df
                                  List of functions
 Schema |    Name     |         Result data type         | Argument data types | Type
--------+-------------+----------------------------------+---------------------+------
 public | user_search | TABLE(usename name, passwd text) | uname text          | func
(1 row)
@vitabaks
Copy link
Owner

vitabaks commented Nov 18, 2023
edited
Loading

@chuegel Hi

  1. Replace "peer" to "{{ postgresql_password_encryption_algorithm }}"
  2. Run config playbook
ansible-playbook config_pgcluster.yml --tags pg_hba

Related PR #498

@chuegel
Copy link
Contributor Author

chuegel commented Nov 18, 2023

Hi @vitabaks ,

thanks a lot. That worked!

@chuegel chuegel closed this as completed Nov 18, 2023
@vitabaks vitabaks added the bug Something isn't working label Nov 18, 2023
@vitabaks vitabaks self-assigned this Nov 18, 2023
@vitabaks vitabaks mentioned this issue Nov 18, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vitabaks vitabaks

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chuegel @vitabaks and others