我正在尝试将
pgbouncer
配置为我的 postgres 实例的连接池。对于我的用例,我尝试使用 auth_query
身份验证方法来让用户连接到 postgres 实例,而无需在 userlist.txt
中显式添加凭据。
这是我的
pgbouncer.ini
:
[databases]
; PostgreSQL database named 'dbone' running on 'postgres1' service
pokemons = host=postgres1 port=5432 dbname=pokemon
super = host=postgres2 port=5432 dbname=supersaiyans
[pgbouncer]
listen_addr = *
listen_port = 6432
auth_type = scram-sha-256
auth_file = /etc/pgbouncer/userlist.txt
auth_query = select usename, passwd FROM user_search($1)
auth_user = pgbuser
logfile = /var/log/pgbouncer/pgbouncer.log
pidfile = /var/run/pgbouncer/pgbouncer.pid
admin_users = postgres
这是我的
userlist.txt
:
"pgbuser" "pgbouncer"
这是 pgbouncer 的函数和
auth_user
:
CREATE OR REPLACE FUNCTION user_search(uname TEXT) RETURNS TABLE (usename name, passwd text) as
$$
WITH myuser as (SELECT $1 as fullusername) SELECT fullusername as usename, passwd FROM pg_catalog.pg_shadow INNER JOIN myuser ON usename = substring(fullusername from '[^@]*')
$$
LANGUAGE sql SECURITY DEFINER;
CREATE ROLE pgbuser WITH LOGIN PASSWORD 'pgbouncer';
GRANT EXECUTE ON FUNCTION user_search(text) TO pgbuser;
这里我创建了一个非超级用户角色
pgbuser
,它可以在postgres上执行该功能并验证用户。
然后我创建了一个对特定数据库具有查看访问权限的数据库用户。我检查了这些用户的手动登录情况,我可以看到我被允许查看的数据。
问题:当我使用 pgbouncer 的主机和端口登录 pgadmin 并输入我创建的数据库用户的凭据时。我可以成功登录。为了验证登录是否正常,我还输入了错误的密码。我可以登录并查看数据库,但当我尝试查看内容时,出现 SASL 错误:
日志:
pgbouncer-1 | 2024-03-30 11:10:13.531 UTC [1] LOG S-0x7f8133c733e0: pokemons/[email protected]:5432 new connection to server (from 192.168.16.3:35530)
pgbouncer-1 | 2024-03-30 11:10:13.540 UTC [1] LOG C-0x7f8133c7d3c0: pokemons/[email protected]:56156 login attempt: db=pokemons user=ash tls=no
pgbouncer-1 | 2024-03-30 11:10:13.550 UTC [1] LOG S-0x7f8133c73690: pokemons/[email protected]:5432 new connection to server (from 192.168.16.3:35544)
pgbouncer-1 | 2024-03-30 11:10:16.337 UTC [1] LOG C-0x7f8133c7d670: (nodb)/(nouser)@192.168.16.1:56168 no such user: ash
pgbouncer-1 | 2024-03-30 11:10:16.337 UTC [1] LOG C-0x7f8133c7d670: (nodb)/[email protected]:56168 login attempt: db=dbone user=ash tls=no
pgbouncer-1 | 2024-03-30 11:10:16.337 UTC [1] LOG C-0x7f8133c7d920: (nodb)/(nouser)@192.168.16.1:56178 no such user: ash
pgbouncer-1 | 2024-03-30 11:10:16.337 UTC [1] LOG C-0x7f8133c7d920: (nodb)/[email protected]:56178 login attempt: db=dbone user=ash tls=no
pgbouncer-1 | 2024-03-30 11:10:16.347 UTC [1] ERROR C-0x7f8133c7d670: (nodb)/[email protected]:56168 password authentication failed
pgbouncer-1 | 2024-03-30 11:10:16.347 UTC [1] LOG C-0x7f8133c7d670: (nodb)/[email protected]:56168 closing because: SASL authentication failed (age=0s)
pgbouncer-1 | 2024-03-30 11:10:16.347 UTC [1] WARNING C-0x7f8133c7d670: (nodb)/[email protected]:56168 pooler error: SASL authentication failed
pgbouncer-1 | 2024-03-30 11:10:16.348 UTC [1] ERROR C-0x7f8133c7d920: (nodb)/[email protected]:56178 password authentication failed
一旦登录尝试成功,但之后当我单击数据库时,我会收到身份验证失败错误。
pgadmin 通过向其实际连接的数据库发送查询来获取“可用”数据库的列表。但它实际可用的数据库是由 pgbouncer 的配置决定的,它看不到。因此,当通过 pgbouncer 连接时,pgadmin 的自省功能将会被破坏,除非你非常小心,但你并没有。