[Pacemaker] postgresql RA problem [SOLVED]
Serge Dubrouski
sergeyfd at gmail.com
Sun Sep 20 21:22:29 EDT 2009
Ok. I reviewed what was changed and I'm afraid that these changes are
no good. Using PGPASSWORD variable isn't recommended because it's
considered as insecure. Putting DBA password into pacemaker
configuration brings even more security issues. .pgpass file shall be
used instead when password authentication required. See PostgreSQL
documentation.
Then this line:
: ${OCF_RESKEY_psql=/usr/bin/psq}
doesn't make seance since. I don;t think that psql was renamed to psq.
Changing runasowner function to
runasowner() {
su $OCF_RESKEY_pgdba
export PGPASSWORD=$OCF_RESKEY_pwd
su $OCF_RESKEY_pgdba -c "$*"
}
completely breaks it since first su command starts shell and leaves
user there at the command prompt .
Have you tested your changes?
On Sun, Sep 20, 2009 at 8:54 AM, Serge Dubrouski <sergeyfd at gmail.com> wrote:
> Can you provide your change as a diff patch?
>
> On Sat, Sep 19, 2009 at 11:22 PM, E-Blokos <infos at e-blokos.com> wrote:
>> For whos are interested to have more password security with Postgresql
>> until now the RA didn't work if db user in pg_hba.conf was set on other than
>> "trust",
>> otherwise psql command always ask password prompt, which break the RA
>> script.
>> So I updated the PGSQL RA to use pgsql with more security.
>>
>> Regards
>>
>> Franck Chionna
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> _______________________________________________
>> Pacemaker mailing list
>> Pacemaker at oss.clusterlabs.org
>> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>>
>>
>
>
>
> --
> Serge Dubrouski.
>
--
Serge Dubrouski.
More information about the Pacemaker
mailing list