使用 puppet 脚本修复 postgres 10 中用户的对等验证失败
Fix Peer validation failed for user in postgres 10 with puppet script
我一直在尝试在独立模式下使用 Puppet 在 RHEL7 VM 中设置 Postgres 服务器。问题是我无法设法连接到用户,所有表都正确创建并且在尝试连接到用户时得到:
psql: FATAL: Peer authentication failed for user
即使在阅读并尝试了 hba_config 的几种不同配置之后,也无法使其正常工作
人偶文件:
class profile::tdms::postgresql (
String $pgsql_password,
String $pg_db_username,
String $pg_db_password,
String $emsa_tdm_db = 'emsa_tdms_django',
String $airflow_db = 'emsa_tdms_airflow',
String $celery_db = 'emsa_tdms_celery',
) {
include epel
class { 'postgresql::globals':
manage_package_repo => true,
version => '10',
}
class { 'postgresql::server':
postgres_password => $pgsql_password,
}
notice("PSQL PASS: ${pgsql_password}, PGSQL DB PASS: ${pg_db_password}, PSQL USER: ${pg_db_username}")
# Postgis instalation. Not working
# class { 'postgresql::server::postgis':
# package_name => 'postgis25_10'
# }
postgresql::server::role { $pg_db_username:
username => $pg_db_username,
#password_hash => postgresql_password($pg_db_username, $pg_db_password),
update_password => $pg_db_password,
replication => true
}
postgresql::server::db { $airflow_db:
user => $pg_db_username,
password => postgresql_password($pg_db_username, $pg_db_password),
owner => $pg_db_username
#password => $pg_db_password
}
-> postgresql::server::db { $emsa_tdm_db:
user => $pg_db_username,
password => postgresql_password($pg_db_username, $pg_db_password),
#password => $pg_db_password
owner => $pg_db_username
}
-> postgresql::server::db { $celery_db:
user => $pg_db_username,
password => postgresql_password($pg_db_username, $pg_db_password),
#password => $pg_db_password
owner => $pg_db_username
}
-> postgresql::server::extension { 'airflow_postgis':
database => $airflow_db,
extension => 'postgis',
}
-> postgresql::server::extension { 'tdm_postgis':
database => $emsa_tdm_db,
extension => 'postgis',
}
# postgresql::server::pg_hba_rule { 'local unix sockets':
# description => 'local is for Unix domain socket connections only',
# type => 'local',
# database => 'all',
# user => 'all',
# address => '',
# auth_method => 'peer',
# }
postgresql::server::pg_hba_rule { 'IPv4 local 1':
description => 'IPv4 local connections',
type => 'host',
database => 'all',
user => $pg_db_username,
address => '0.0.0.0/0',
auth_method => 'md5',
}
postgresql::server::pg_hba_rule { 'IPv4 local 2':
type => 'host',
database => 'all',
user => 'all',
address => '127.0.0.1/32',
auth_method => 'ident',
}
postgresql::server::pg_hba_rule { 'Replication 1':
description => 'Allow replication connections from localhost, by a user with the replication privilege',
type => 'local',
database => 'replication',
user => 'all',
address => '',
auth_method => 'peer',
}
postgresql::server::pg_hba_rule { 'Replication 2':
type => 'host',
database => 'replication',
user => 'all',
address => '127.0.0.1/32',
auth_method => 'ident',
}
postgresql::server::pg_hba_rule { 'Replication 3':
type => 'host',
database => 'replication',
user => 'all',
address => '::1/128',
auth_method => 'ident',
}
postgresql_conn_validator { 'validate my postgres connection':
host => '127.0.0.1',
db_username => $pg_db_username,
db_password => $pg_db_password,
db_name => 'postgres',
}
}
这是pg_hba.conf:
# This file is managed by Puppet. DO NOT EDIT.
# Rule Name: local access as postgres user
# Description: none
# Order: 1
local all postgres ident
# Rule Name: local access to database with same name
# Description: none
# Order: 2
local all all ident
# Rule Name: allow localhost TCP access to postgresql user
# Description: none
# Order: 3
host all postgres 127.0.0.1/32 md5
# Rule Name: deny access to postgresql user
# Description: none
# Order: 4
host all postgres 0.0.0.0/0 reject
# Rule Name: allow access to all users
# Description: none
# Order: 100
host all all 127.0.0.1/32 md5
# Rule Name: allow access to ipv6 localhost
# Description: none
# Order: 101
host all all ::1/128 md5
# Rule Name: IPv4 local 1
# Description: IPv4 local connections
# Order: 150
host all emsa_tdms 0.0.0.0/0 md5
# Rule Name: IPv4 local 2
# Description: none
# Order: 150
host all all 127.0.0.1/32 ident
# Rule Name: Replication 1
# Description: Allow replication connections from localhost, by a user with the replication privilege
# Order: 150
local replication all peer
# Rule Name: Replication 2
# Description: none
# Order: 150
host replication all 127.0.0.1/32 ident
# Rule Name: Replication 3
# Description: none
# Order: 150
host replication all ::1/128 ident
更新:
想要从同一台机器和 Django 应用程序连接
日志:
2020-06-12 15:48:47.230 UTC [6945] FATAL: Peer authentication failed for user "emsa_tdms"
2020-06-12 15:48:47.230 UTC [6945] DETAIL: Connection matched pg_hba.conf line 11: "local all all ident "
2020-06-12 15:49:13.951 UTC [7017] LOG: provided user name (emsa_tdms) and authenticated user name (vagrant) do not match
2020-06-12 15:49:13.951 UTC [7017] FATAL: Peer authentication failed for user "emsa_tdms"
2020-06-12 15:49:13.951 UTC [7017] DETAIL: Connection matched pg_hba.conf line 11: "local all all ident "
2020-06-12 15:56:46.559 UTC [8545] FATAL: password authentication failed for user "emsa_tdms"
删除行后:
local all all ident
错误:
psql: FATAL: no pg_hba.conf entry for host "[local]", user "emsa_tdms", database "emsa_tdms_django", SSL off
ident 在 local pg_hba.conf 行被解释为 peer.
通过简单身份验证或对等身份验证,它会验证连接到数据库服务器的 Linux 用户与其尝试连接的 PostgreSQL 用户具有相同的名称。但在你的情况下,它们是不一样的,"emsa_tdms" vs "vagrant"。这里基本上有 4 个选项,将 Linux 用户名 运行 您的人偶脚本从 "vagrant" 更改为 "emsa_tdms";将您的 PostgreSQL 用户名从 "emsa_tdms" 更改为 "vagrant";添加用户映射(在 pg_ident.conf 中)表示允许 "vagrant" 以 "emsa_tdms" 身份登录并在 pg_hba.conf 中激活此映射;或者选择不同的身份验证方法,例如 md5.
看起来您也在尝试使用密码身份验证,但也失败了,但您过早地切断了日志,不知道失败的原因。不过,也许这种尝试来自木偶以外的其他东西。
我一直在尝试在独立模式下使用 Puppet 在 RHEL7 VM 中设置 Postgres 服务器。问题是我无法设法连接到用户,所有表都正确创建并且在尝试连接到用户时得到:
psql: FATAL: Peer authentication failed for user
即使在阅读并尝试了 hba_config 的几种不同配置之后,也无法使其正常工作
人偶文件:
class profile::tdms::postgresql (
String $pgsql_password,
String $pg_db_username,
String $pg_db_password,
String $emsa_tdm_db = 'emsa_tdms_django',
String $airflow_db = 'emsa_tdms_airflow',
String $celery_db = 'emsa_tdms_celery',
) {
include epel
class { 'postgresql::globals':
manage_package_repo => true,
version => '10',
}
class { 'postgresql::server':
postgres_password => $pgsql_password,
}
notice("PSQL PASS: ${pgsql_password}, PGSQL DB PASS: ${pg_db_password}, PSQL USER: ${pg_db_username}")
# Postgis instalation. Not working
# class { 'postgresql::server::postgis':
# package_name => 'postgis25_10'
# }
postgresql::server::role { $pg_db_username:
username => $pg_db_username,
#password_hash => postgresql_password($pg_db_username, $pg_db_password),
update_password => $pg_db_password,
replication => true
}
postgresql::server::db { $airflow_db:
user => $pg_db_username,
password => postgresql_password($pg_db_username, $pg_db_password),
owner => $pg_db_username
#password => $pg_db_password
}
-> postgresql::server::db { $emsa_tdm_db:
user => $pg_db_username,
password => postgresql_password($pg_db_username, $pg_db_password),
#password => $pg_db_password
owner => $pg_db_username
}
-> postgresql::server::db { $celery_db:
user => $pg_db_username,
password => postgresql_password($pg_db_username, $pg_db_password),
#password => $pg_db_password
owner => $pg_db_username
}
-> postgresql::server::extension { 'airflow_postgis':
database => $airflow_db,
extension => 'postgis',
}
-> postgresql::server::extension { 'tdm_postgis':
database => $emsa_tdm_db,
extension => 'postgis',
}
# postgresql::server::pg_hba_rule { 'local unix sockets':
# description => 'local is for Unix domain socket connections only',
# type => 'local',
# database => 'all',
# user => 'all',
# address => '',
# auth_method => 'peer',
# }
postgresql::server::pg_hba_rule { 'IPv4 local 1':
description => 'IPv4 local connections',
type => 'host',
database => 'all',
user => $pg_db_username,
address => '0.0.0.0/0',
auth_method => 'md5',
}
postgresql::server::pg_hba_rule { 'IPv4 local 2':
type => 'host',
database => 'all',
user => 'all',
address => '127.0.0.1/32',
auth_method => 'ident',
}
postgresql::server::pg_hba_rule { 'Replication 1':
description => 'Allow replication connections from localhost, by a user with the replication privilege',
type => 'local',
database => 'replication',
user => 'all',
address => '',
auth_method => 'peer',
}
postgresql::server::pg_hba_rule { 'Replication 2':
type => 'host',
database => 'replication',
user => 'all',
address => '127.0.0.1/32',
auth_method => 'ident',
}
postgresql::server::pg_hba_rule { 'Replication 3':
type => 'host',
database => 'replication',
user => 'all',
address => '::1/128',
auth_method => 'ident',
}
postgresql_conn_validator { 'validate my postgres connection':
host => '127.0.0.1',
db_username => $pg_db_username,
db_password => $pg_db_password,
db_name => 'postgres',
}
}
这是pg_hba.conf:
# This file is managed by Puppet. DO NOT EDIT.
# Rule Name: local access as postgres user
# Description: none
# Order: 1
local all postgres ident
# Rule Name: local access to database with same name
# Description: none
# Order: 2
local all all ident
# Rule Name: allow localhost TCP access to postgresql user
# Description: none
# Order: 3
host all postgres 127.0.0.1/32 md5
# Rule Name: deny access to postgresql user
# Description: none
# Order: 4
host all postgres 0.0.0.0/0 reject
# Rule Name: allow access to all users
# Description: none
# Order: 100
host all all 127.0.0.1/32 md5
# Rule Name: allow access to ipv6 localhost
# Description: none
# Order: 101
host all all ::1/128 md5
# Rule Name: IPv4 local 1
# Description: IPv4 local connections
# Order: 150
host all emsa_tdms 0.0.0.0/0 md5
# Rule Name: IPv4 local 2
# Description: none
# Order: 150
host all all 127.0.0.1/32 ident
# Rule Name: Replication 1
# Description: Allow replication connections from localhost, by a user with the replication privilege
# Order: 150
local replication all peer
# Rule Name: Replication 2
# Description: none
# Order: 150
host replication all 127.0.0.1/32 ident
# Rule Name: Replication 3
# Description: none
# Order: 150
host replication all ::1/128 ident
更新: 想要从同一台机器和 Django 应用程序连接
日志:
2020-06-12 15:48:47.230 UTC [6945] FATAL: Peer authentication failed for user "emsa_tdms"
2020-06-12 15:48:47.230 UTC [6945] DETAIL: Connection matched pg_hba.conf line 11: "local all all ident "
2020-06-12 15:49:13.951 UTC [7017] LOG: provided user name (emsa_tdms) and authenticated user name (vagrant) do not match
2020-06-12 15:49:13.951 UTC [7017] FATAL: Peer authentication failed for user "emsa_tdms"
2020-06-12 15:49:13.951 UTC [7017] DETAIL: Connection matched pg_hba.conf line 11: "local all all ident "
2020-06-12 15:56:46.559 UTC [8545] FATAL: password authentication failed for user "emsa_tdms"
删除行后:
local all all ident
错误:
psql: FATAL: no pg_hba.conf entry for host "[local]", user "emsa_tdms", database "emsa_tdms_django", SSL off
ident 在 local pg_hba.conf 行被解释为 peer.
通过简单身份验证或对等身份验证,它会验证连接到数据库服务器的 Linux 用户与其尝试连接的 PostgreSQL 用户具有相同的名称。但在你的情况下,它们是不一样的,"emsa_tdms" vs "vagrant"。这里基本上有 4 个选项,将 Linux 用户名 运行 您的人偶脚本从 "vagrant" 更改为 "emsa_tdms";将您的 PostgreSQL 用户名从 "emsa_tdms" 更改为 "vagrant";添加用户映射(在 pg_ident.conf 中)表示允许 "vagrant" 以 "emsa_tdms" 身份登录并在 pg_hba.conf 中激活此映射;或者选择不同的身份验证方法,例如 md5.
看起来您也在尝试使用密码身份验证,但也失败了,但您过早地切断了日志,不知道失败的原因。不过,也许这种尝试来自木偶以外的其他东西。