3.8. Password Management

3.8.1. Password Management Options
3.8.2. Using a password file

3.8.1. Password Management Options

For security purposes it's desirable to protect database access using a password.

LightDB has three ways of providing a password:

  • including the password in the conninfo string (e.g. "host=node1 dbname=ltcluster user=ltcluster password=foo")
  • exporting the password as an environment variable (PGPASSWORD)
  • storing the password in a dedicated password file

We strongly advise against including the password in the conninfo string, as this will result in the database password being exposed in various places, including in the ltcluster.conf file, the ltcluster.nodes table, any output generated by ltcluster which lists the node conninfo strings (e.g. ltcluster cluster show) and in the ltcluster log file, particularly at log_level=DEBUG.

Note

Currently ltcluster does not fully support use of the password option in the conninfo string.

Exporting the password as an environment variable (PGPASSWORD) is considered less insecure, but the LightDB documentation explicitly recommends against doing this:

 

PGPASSWORD behaves the same as the password connection parameter. Use of this environment variable is not recommended for security reasons, as some operating systems allow non-root users to see process environment variables via ps; instead consider using a password file.

 
 --Environment Variables

The most secure option for managing passwords is to use a dedicated password file; see the following section for more details.

3.8.2. Using a password file

The most secure way of storing passwords is in a password file, which by default is ~/.pgpass. This file can only be read by the system user who owns the file, and LightDB will refuse to use the file unless read/write permissions are restricted to the file owner. The password(s) contained in the file will not be directly accessed by ltcluster (or any other libpq-based client software such as ltsql).

For full details see the LightDB password file documentation.

For use with ltcluster, the ~/.pgpass must two entries for each node in the replication cluster: one for the ltcluster user who accesses the ltcluster metadatabase, and one for replication connections (regardless of whether a dedicated replication user is used). The file must be present on each node in the replication cluster.

A ~/.pgpass file for a 3-node cluster where the ltcluster database user is used for both for accessing the ltcluster metadatabase and for replication connections would look like this:

node1:5432:ltcluster:ltcluster:foo
node1:5432:replication:ltcluster:foo
node2:5432:ltcluster:ltcluster:foo
node2:5432:replication:ltcluster:foo
node3:5432:ltcluster:ltcluster:foo
node3:5432:replication:ltcluster:foo

If a dedicated replication user (here: repluser) is in use, the file would look like this:

node1:5432:ltcluster:ltcluster:foo
node1:5432:replication:repluser:foo
node2:5432:ltcluster:ltcluster:foo
node2:5432:replication:repluser:foo
node3:5432:ltcluster:ltcluster:foo
node3:5432:replication:repluser:foo

If you are planning to use the -S/--superuser option, there must also be an entry enabling the superuser to connect to the ltcluster database. Assuming the superuser is lightdb, the file would look like this:

node1:5432:ltcluster:ltcluster:foo
node1:5432:ltcluster:lightdb:foo
node1:5432:replication:repluser:foo
node2:5432:ltcluster:ltcluster:foo
node2:5432:ltcluster:lightdb:foo
node2:5432:replication:repluser:foo
node3:5432:ltcluster:ltcluster:foo
node3:5432:ltcluster:lightdb:foo
node3:5432:replication:repluser:foo

The ~/.pgpass file can be simplified with the use of wildcards if there is no requirement to restrict provision of passwords to particular hosts, ports or databases. The preceding file could then be formatted like this:

*:*:*:ltcluster:foo
*:*:*:lightdb:foo

Note

It's possible to specify an alternative location for the ~/.pgpass file, either via the environment variable PGPASSFILE, or (from LightDB 21) using the passfile parameter in connection strings.

If using the passfile parameter, it's essential to ensure the file is in the same location on all nodes, as when connecting to a remote node, the file referenced is the one on the local node.

Additionally, you must specify the passfile location in ltcluster.conf with the passfile option so ltcluster can write the correct path when creating the primary_conninfo parameter for replication configuration on standbys.