PostgreSQL authentication¶
In site settings, the postgresql.auth
field allows to configure PostgreSQL
authentication. Default values are:
auth:
local: trust
host: trust
hostssl: trust
passfile: $HOME/.pgpass
password_command: []
For a production cluster it is recommended to set local
, host
and
hostssl
authentication to one of the supported authentication methods.
In addition, a site administrator may provide templates for pg_hba.conf
and pg_ident.conf
(as documented in
configuration templates section). The defaults
contain:
local all {surole} {auth.local}
local all all {auth.local}
host all all 127.0.0.1/32 {auth.host}
host all all ::1/128 {auth.host}
# MAPNAME SYSTEM-USERNAME PG-USERNAME
Many pglift operations require a database access to the target instance using
the super-user role (postgres
by default). Unless the authentication policy
is set to trust
a password would then be required for each operations.
In site settings, the postgresql.surole.pgpass
configuration option, when
set to true
, will write a password file (pgpass
) entry for the
super-user role. This assumes that the postgresql.auth.passfile
option is
non-null
.
At instance creation, one can define a password for the super-user role
(postgres
by default), using --surole-password
option to pglift
instance create
or similarly through the Ansible interface.
When the password file is used, nothing special is required for authentication as all libpq operations would use it.
Otherwise, the password is read from PGPASSWORD
environment variable so
this should be set in the environment running interactive commands.
Alternatively, one can use the password_command
setting, with a value
defining a user-managed shell command as a list of strings. At runtime, the
command is templated with the instance object (which string representation
would be something like 14/main
) and the role name (e.g. postgres
,
backup
). It must return the role password as stdout.
Examples:
auth:
password_command:
- jq
- -r
- .["{instance}"]["{role}"]
- /mnt/secrets/pglift.json
auth:
password_command:
- gpg
- -d
- /var/lib/pgsql/{instance.version}-{instance.name}_{role}_pgpassword.gpg
Setting up “peer” authentication¶
The peer authentication is convenient but it needs additional setup when
the local user name does not match role name, typically when not using the postgres
or backup
system user in default configuration. In that case, a mapping
is usually needed.
Such a setup can be achieved by providing template files (as documented in
configuration templates section)
in order to map the local user running pglift (referred to as the sysuser)
to PostgreSQL super-user role (typically postgres
), identified by
{surole}
template variable or backup user, identified by {backuprole}
template variable:
local all {surole} peer map=mymap
local all {backuprole} peer map=mymap
[...]
# MAPNAME SYSTEM-USERNAME PG-USERNAME
mymap {sysuser} {surole}
mymap {sysuser} {backuprole}
Available template variables are:
{sysuser}
: the local user running pglift{surole}
: the PostgreSQL super-user role{replrole}
: the PostgreSQL replication role{backuprole}
: the PostgreSQL backup role