我一直在尝试在RHEL7虚拟机上用Puppet在独立模式下设置一个Postgres服务器。问题是我无法管理与用户的连接,所有的表被正确地创建,当试图连接到用户得到。
psql: FATAL: Peer authentication failed for user
即使在阅读并尝试了几种不同的hba_config配置后,也无法使其工作。
Puppetfile。
class profile::tdms::postgresql (
String $pgsql_password,
String $pg_db_username,
String $pg_db_password,
String $emsa_tdm_db = 'emsa_tdms_django',
String $airflow_db = 'emsa_tdms_airflow',
String $celery_db = 'emsa_tdms_celery',
) {
include epel
class { 'postgresql::globals':
manage_package_repo => true,
version => '10',
}
class { 'postgresql::server':
postgres_password => $pgsql_password,
}
notice("PSQL PASS: ${pgsql_password}, PGSQL DB PASS: ${pg_db_password}, PSQL USER: ${pg_db_username}")
# Postgis instalation. Not working
# class { 'postgresql::server::postgis':
# package_name => 'postgis25_10'
# }
postgresql::server::role { $pg_db_username:
username => $pg_db_username,
#password_hash => postgresql_password($pg_db_username, $pg_db_password),
update_password => $pg_db_password,
replication => true
}
postgresql::server::db { $airflow_db:
user => $pg_db_username,
password => postgresql_password($pg_db_username, $pg_db_password),
owner => $pg_db_username
#password => $pg_db_password
}
-> postgresql::server::db { $emsa_tdm_db:
user => $pg_db_username,
password => postgresql_password($pg_db_username, $pg_db_password),
#password => $pg_db_password
owner => $pg_db_username
}
-> postgresql::server::db { $celery_db:
user => $pg_db_username,
password => postgresql_password($pg_db_username, $pg_db_password),
#password => $pg_db_password
owner => $pg_db_username
}
-> postgresql::server::extension { 'airflow_postgis':
database => $airflow_db,
extension => 'postgis',
}
-> postgresql::server::extension { 'tdm_postgis':
database => $emsa_tdm_db,
extension => 'postgis',
}
# postgresql::server::pg_hba_rule { 'local unix sockets':
# description => 'local is for Unix domain socket connections only',
# type => 'local',
# database => 'all',
# user => 'all',
# address => '',
# auth_method => 'peer',
# }
postgresql::server::pg_hba_rule { 'IPv4 local 1':
description => 'IPv4 local connections',
type => 'host',
database => 'all',
user => $pg_db_username,
address => '0.0.0.0/0',
auth_method => 'md5',
}
postgresql::server::pg_hba_rule { 'IPv4 local 2':
type => 'host',
database => 'all',
user => 'all',
address => '127.0.0.1/32',
auth_method => 'ident',
}
postgresql::server::pg_hba_rule { 'Replication 1':
description => 'Allow replication connections from localhost, by a user with the replication privilege',
type => 'local',
database => 'replication',
user => 'all',
address => '',
auth_method => 'peer',
}
postgresql::server::pg_hba_rule { 'Replication 2':
type => 'host',
database => 'replication',
user => 'all',
address => '127.0.0.1/32',
auth_method => 'ident',
}
postgresql::server::pg_hba_rule { 'Replication 3':
type => 'host',
database => 'replication',
user => 'all',
address => '::1/128',
auth_method => 'ident',
}
postgresql_conn_validator { 'validate my postgres connection':
host => '127.0.0.1',
db_username => $pg_db_username,
db_password => $pg_db_password,
db_name => 'postgres',
}
}
这是pg_hba.conf。
# This file is managed by Puppet. DO NOT EDIT.
# Rule Name: local access as postgres user
# Description: none
# Order: 1
local all postgres ident
# Rule Name: local access to database with same name
# Description: none
# Order: 2
local all all ident
# Rule Name: allow localhost TCP access to postgresql user
# Description: none
# Order: 3
host all postgres 127.0.0.1/32 md5
# Rule Name: deny access to postgresql user
# Description: none
# Order: 4
host all postgres 0.0.0.0/0 reject
# Rule Name: allow access to all users
# Description: none
# Order: 100
host all all 127.0.0.1/32 md5
# Rule Name: allow access to ipv6 localhost
# Description: none
# Order: 101
host all all ::1/128 md5
# Rule Name: IPv4 local 1
# Description: IPv4 local connections
# Order: 150
host all emsa_tdms 0.0.0.0/0 md5
# Rule Name: IPv4 local 2
# Description: none
# Order: 150
host all all 127.0.0.1/32 ident
# Rule Name: Replication 1
# Description: Allow replication connections from localhost, by a user with the replication privilege
# Order: 150
local replication all peer
# Rule Name: Replication 2
# Description: none
# Order: 150
host replication all 127.0.0.1/32 ident
# Rule Name: Replication 3
# Description: none
# Order: 150
host replication all ::1/128 ident
UPDATE:想在同一台机器和Django应用之间进行连接。
LOGS。
2020-06-12 15:48:47.230 UTC [6945] FATAL: Peer authentication failed for user "emsa_tdms"
2020-06-12 15:48:47.230 UTC [6945] DETAIL: Connection matched pg_hba.conf line 11: "local all all ident "
2020-06-12 15:49:13.951 UTC [7017] LOG: provided user name (emsa_tdms) and authenticated user name (vagrant) do not match
2020-06-12 15:49:13.951 UTC [7017] FATAL: Peer authentication failed for user "emsa_tdms"
2020-06-12 15:49:13.951 UTC [7017] DETAIL: Connection matched pg_hba.conf line 11: "local all all ident "
2020-06-12 15:56:46.559 UTC [8545] FATAL: password authentication failed for user "emsa_tdms"
在删除这一行之后:
local all all ident
错误:
psql: FATAL: no pg_hba.conf entry for host "[local]", user "emsa_tdms", database "emsa_tdms_django", SSL off
ident 的时候,所有的表都能正确创建,而当 local pg_hba.conf 行被解释为是 peer.
通过简单的身份认证或对等认证,它可以验证连接到数据库服务器的Linux用户与试图连接的PostgreSQL用户的名称相同,但在你的情况下,它们是不一样的,"emsa_tdms "与 "vagrant"。 但在你的情况下,它们并不一样,"emsa_tdms "与 "vagrant"。 基本上有4个选择,把运行puppet脚本的Linux用户名从 "vagrant "改成 "emsa_tdms";把PostgreSQL的用户名从 "emsa_tdms "改成 "vagrant";添加一个用户映射(在pg_ident.conf中),说明 "vagrant "可以以 "emsa_tdms "的身份登录,并在pg_hba.conf中激活这个映射;或者选择一个不同的认证方法,例如 md5.
看起来你还试图使用密码验证,也失败了,但你太快切断了日志,不知道为什么失败。 也许那次尝试不是来自puppet,而是来自其他的东西。