Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: SASL (SCRAM-SHA-256) authentication #631

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat: SASL (SCRAM-SHA-256) authentication #631

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
fce8d5e
use methods from scram module
rkrishn7 Oct 30, 2023
85730bf
add client auth module (currently for scram-sha-256)
rkrishn7 Oct 30, 2023
5aad58f
update config
rkrishn7 Oct 30, 2023
52e3783
update client startup
rkrishn7 Oct 30, 2023
59b5346
update pgcat example config
rkrishn7 Oct 30, 2023
9882137
fix warnings
rkrishn7 Oct 30, 2023
560324d
fix clippy
rkrishn7 Oct 30, 2023
798ac8d
add back auth passthrough refetch
rkrishn7 Oct 31, 2023
4724821
refactor apt refetch
rkrishn7 Oct 31, 2023
db4da74
revert to old md5 impl (idk why it passes and mine does not)
rkrishn7 Nov 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 44 additions & 47 deletions pgcat.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,16 +77,18 @@ admin_username = "admin_user"
# Password to access the virtual administrative database
admin_password = "admin_pass"

# Default authentication method for all pools. Can be overriden per pool.
# Defaults to "md5" if not set.
# auth_method = "scram-sha-256"

# Default plugins that are configured on all pools.
[plugins]

# Prewarmer plugin that runs queries on server startup, before giving the connection
# to the client.
[plugins.prewarmer]
enabled = false
queries = [
"SELECT pg_prewarm('pgbench_accounts')",
]
queries = ["SELECT pg_prewarm('pgbench_accounts')"]

# Log all queries to stdout.
[plugins.query_logger]
Expand All @@ -95,11 +97,7 @@ enabled = false
# Block access to tables that Postgres does not allow us to control.
[plugins.table_access]
enabled = false
tables = [
"pg_user",
"pg_roles",
"pg_database",
]
tables = ["pg_user", "pg_roles", "pg_database"]

# Intercept user queries and give a fake reply.
[plugins.intercept]
Expand All @@ -108,25 +106,27 @@ enabled = true
[plugins.intercept.queries.0]

query = "select current_database() as a, current_schemas(false) as b"
schema = [
["a", "text"],
["b", "text"],
]
result = [
["${DATABASE}", "{public}"],
]
schema = [["a", "text"], ["b", "text"]]
result = [["${DATABASE}", "{public}"]]

[plugins.intercept.queries.1]

query = "select current_database(), current_schema(), current_user"
schema = [
["current_database", "text"],
["current_schema", "text"],
["current_user", "text"],
]
result = [
["${DATABASE}", "public", "${USER}"],
[
"current_database",
"text",
],
[
"current_schema",
"text",
],
[
"current_user",
"text",
],
]
result = [["${DATABASE}", "public", "${USER}"]]


# pool configs are structured as pool.<pool_name>
Expand Down Expand Up @@ -188,6 +188,10 @@ primary_reads_enabled = true
# `sha1`: A hashing function based on SHA1
sharding_function = "pg_bigint_hash"

# Authentication method to use for this pool. Overrides the general auth_method value.
# Defaults to the general auth_method if not set.
# auth_method = "scram-sha-256"

# Query to be sent to servers to obtain the hash used for md5 authentication. The connection will be
# established using the database configured in the pool. This parameter is inherited by every pool
# and can be redefined in pool configuration.
Expand Down Expand Up @@ -226,46 +230,42 @@ connect_timeout = 3000

[pools.sharded_db.plugins.prewarmer]
enabled = true
queries = [
"SELECT pg_prewarm('pgbench_accounts')",
]
queries = ["SELECT pg_prewarm('pgbench_accounts')"]

[pools.sharded_db.plugins.query_logger]
enabled = false

[pools.sharded_db.plugins.table_access]
enabled = false
tables = [
"pg_user",
"pg_roles",
"pg_database",
]
tables = ["pg_user", "pg_roles", "pg_database"]

[pools.sharded_db.plugins.intercept]
enabled = true

[pools.sharded_db.plugins.intercept.queries.0]

query = "select current_database() as a, current_schemas(false) as b"
schema = [
["a", "text"],
["b", "text"],
]
result = [
["${DATABASE}", "{public}"],
]
schema = [["a", "text"], ["b", "text"]]
result = [["${DATABASE}", "{public}"]]

[pools.sharded_db.plugins.intercept.queries.1]

query = "select current_database(), current_schema(), current_user"
schema = [
["current_database", "text"],
["current_schema", "text"],
["current_user", "text"],
]
result = [
["${DATABASE}", "public", "${USER}"],
[
"current_database",
"text",
],
[
"current_schema",
"text",
],
[
"current_user",
"text",
],
]
result = [["${DATABASE}", "public", "${USER}"]]

# User configs are structured as pool.<pool_name>.users.<user_index>
# This section holds the credentials for users that may connect to this cluster
Expand Down Expand Up @@ -321,7 +321,7 @@ servers = [["127.0.0.1", 5432, "primary"], ["localhost", 5432, "replica"]]
database = "shard1"

[pools.sharded_db.shards.2]
servers = [["127.0.0.1", 5432, "primary" ], ["localhost", 5432, "replica" ]]
servers = [["127.0.0.1", 5432, "primary"], ["localhost", 5432, "replica"]]
database = "shard2"


Expand All @@ -341,8 +341,5 @@ server_lifetime = 60000
statement_timeout = 0

[pools.simple_db.shards.0]
servers = [
[ "127.0.0.1", 5432, "primary" ],
[ "localhost", 5432, "replica" ]
]
servers = [["127.0.0.1", 5432, "primary"], ["localhost", 5432, "replica"]]
database = "some_db"
Loading