[Bucardo-general] peer authentication

Computerisms Corporation bob at computerisms.ca
Sat Jul 18 23:40:06 UTC 2020 

Hi Folks,

so I get the impression that bucardo is really meant to run in a 
password only authentication scheme, but I haven't read any where that 
peer/ident won't work, and they are listed on the old wiki pages as 
options.

I get that I need passwords for remote connections, but I would much 
prefer if local connections could use peer authentication instead of 
md5, mostly because I intend to try scripting things for future usage 
and would avoid more passwords than necessary involved in said script.

Hopefully I can show what I mean.  in the below examples, mooglian is 
the local machine, and moogle is the remote one.

Every thing seems to work up to the part where I add the sync.
These commands work:

su -c "bucardo add db computerisms_ca_cal_mooglian 
dbname=computerisms_ca_cal" bucardo

su -c "bucardo add db computerisms_ca_cal_moogle 
dbname=computerisms_ca_cal host=2607:feb8::3:48 user=postgres" bucardo

su -c "bucardo add dbgroup computerisms_ca_cal_bucardogroup 
computerisms_ca_cal_mooglian:source computerisms_ca_cal_moogle:source" 
bucardo

and each of these commands will produce postgres logs like this 
(connection logging enabled):

[12912] [unknown]@[unknown] LOG:  connection received: host=[local]
[12912] bucardo at bucardo LOG:  connection authorized: user=bucardo 
database=bucardo
[12913] [unknown]@[unknown] LOG:  connection received: host=[local]
[12913] bucardo at computerisms_ca_cal LOG:  provided user name (bucardo) 
and authenticated user name (postgres) do not match
[12913] bucardo at computerisms_ca_cal FATAL:  Peer authentication failed 
for user "bucardo"
[12913] bucardo at computerisms_ca_cal DETAIL:  Connection matched 
pg_hba.conf line 33: "local   all             all        peer"
[12914] [unknown]@[unknown] LOG:  connection received: host=[local]
[12914] bucardo at computerisms_ca_cal LOG:  connection authorized: 
user=bucardo database=computerisms_ca_cal

so seems something in there tries to connect as the postgres user, but 
then somehow falls back again to connecting as bucardo user and 
succeeds.  Bucardo list shows they worked:

su -c "bucardo list dbgroup" bucardo
dbgroup: computerisms_ca_cal_bucardogroup  Members: 
computerisms_ca_cal_moogle:source computerisms_ca_cal_mooglian:source

If I disable line 33 in pg_hba.conf, the command does indeed fail trying 
to add another db:

su -c "bucardo add db easysmart_ca_cal_mooglian dbname=easysmart_ca_cal" 
bucardo
DBI 
connect('dbname=bucardo;host=/var/run/postgresql;port=5432','bucardo',...) 
failed: FATAL:  no pg_hba.conf entry for host "[local]", user "bucardo", 
database "bucardo", SSL off at /usr/bin/bucardo line 310.

so up until now, peer authentication is working/not working as expected 
(by me, at least).  Now, when I try to add the sync:

su -c "bucardo add sync computerisms_ca_cal_sync tables=all 
dbs=computerisms_ca_cal_bucardogroup" bucardo
DBD::Pg::st execute failed: ERROR:  DBI 
connect('dbname=computerisms_ca_cal','bucardo',...) failed: FATAL:  Peer 
authentication failed for user "bucardo" at line 64.
CONTEXT:  PL/Perl function "validate_goat" at /usr/bin/bucardo line 5269.

and the postgres logs show the same thing, where it is trying to connect 
as postgres, but this time it doesn't fall back:

[18035] [unknown]@[unknown] LOG:  connection received: host=[local]
[18035] bucardo at bucardo LOG:  connection authorized: user=bucardo 
database=bucardo
[18036] [unknown]@[unknown] LOG:  connection received: host=[local]
[18036] bucardo at computerisms_ca_cal LOG:  connection authorized: 
user=bucardo database=computerisms_ca_cal
[18037] [unknown]@[unknown] LOG:  connection received: host=[local]
[18037] bucardo at computerisms_ca_cal LOG:  provided user name (bucardo) 
and authenticated user name (postgres) do not match
[18037] bucardo at computerisms_ca_cal FATAL:  Peer authentication failed 
for user "bucardo"
[18037] bucardo at computerisms_ca_cal DETAIL:  Connection matched 
pg_hba.conf line 33: "local   all             all     peer"
[18035] bucardo at bucardo ERROR:  DBI 
connect('dbname=computerisms_ca_cal','bucardo',...) failed: FATAL:  Peer 
authentication failed for user "bucardo" at line 64.
bucardo at bucardo CONTEXT:  PL/Perl function "validate_goat"
[18035] bucardo at bucardo STATEMENT:  INSERT INTO bucardo.goat 
(schemaname,tablename,reltype,db) VALUES ($1,$2,$3,$4) RETURNING id

so it still seems the postgres user is coded into the connection some 
how.  But even using the -U argument and runnning under different su 
users produces results I am finding confusing.  Try to force 
authenticated username to be bucardo:

su -c "bucardo add sync computerisms_ca_cal_sync tables=all 
dbs=computerisms_ca_cal_bucardogroup -U bucardo" bucardo
[20354] bucardo at computerisms_ca_cal LOG:  provided user name (bucardo) 
and authenticated user name (postgres) do not match

Still connecting as postgres. okay, try to connect as postgres:

su -c "bucardo add sync computerisms_ca_cal_sync tables=all 
dbs=computerisms_ca_cal_bucardogroup -U postgres" bucardo
[19739] postgres at bucardo LOG:  provided user name (postgres) and 
authenticated user name (bucardo) do not match

Now bucardo is authenticated username?  why??  okay, flip them:

su -c "bucardo add sync computerisms_ca_cal_sync tables=all 
dbs=computerisms_ca_cal_bucardogroup -U bucardo" postgres
[23428] bucardo at bucardo LOG:  provided user name (bucardo) and 
authenticated user name (postgres) do not match

exact same as when running su bucardo :/.  so run the whole thing as 
postgres:

su -c "bucardo add sync computerisms_ca_cal_sync tables=all 
dbs=computerisms_ca_cal_bucardogroup -U postgres" postgres
[20750] bucardo at computerisms_ca_cal LOG:  provided user name (bucardo) 
and authenticated user name (postgres) do not match
[20750] bucardo at computerisms_ca_cal FATAL:  Peer authentication failed 
for user "bucardo"
[20750] bucardo at computerisms_ca_cal DETAIL:  Connection matched 
pg_hba.conf line 33: "local   all             all        peer"
[20751] [unknown]@[unknown] LOG:  connection received: host=[local]
[20751] postgres at computerisms_ca_cal LOG:  connection authorized: 
user=postgres database=computerisms_ca_cal
[20751] postgres at computerisms_ca_cal ERROR:  role "bucardo" already exists
[20751] postgres at computerisms_ca_cal STATEMENT:  CREATE USER bucardo 
SUPERUSER

Now it still provides username bucardo, then falls back to user postgres 
and tries to recreate the username bucardo, but then it seemingly won't 
be able to connect with bucardo username any way?

I am sure there is some logic happening here, but I am failing to 
understand what it is.  I am sure the program is doing what it is 
supposed to be doing and the problem is me, but could someone be so kind 
as to set my poor little brain cells straight?

For the sake of completeness, I am running version 5.5 from debian 
repos.  I considered installing 5.6, but I see nothing in the Changes 
file that indicates this has been addressed.

-- 
Bob Miller
Cell: 867-334-7117
Office: 867-633-3760
Office: 867-322-0362
www.computerisms.ca

More information about the Bucardo-general mailing list