For security purposes it's desirable to protect database access using a password.
LightDB has three ways of providing a password:
conninfo
string
(e.g. "host=node1 dbname=ltcluster user=ltcluster password=foo
")
PGPASSWORD
)
We strongly advise against including the password in the conninfo
string, as
this will result in the database password being exposed in various places, including in the
ltcluster.conf
file, the ltcluster.nodes
table, any output
generated by ltcluster which lists the node conninfo
strings (e.g.
ltcluster cluster show) and in the ltcluster log file,
particularly at log_level=DEBUG
.
Currently ltcluster does not fully support use of the password
option in the
conninfo
string.
Exporting the password as an environment variable (PGPASSWORD
) is considered
less insecure, but the LightDB documentation explicitly recommends against doing this:
| ||
--Environment Variables |
The most secure option for managing passwords is to use a dedicated password file; see the following section for more details.
The most secure way of storing passwords is in a password file,
which by default is ~/.pgpass
. This file
can only be read by the system user who owns the file, and
LightDB will refuse to use the file unless read/write
permissions are restricted to the file owner. The password(s)
contained in the file will not be directly accessed by
ltcluster (or any other libpq-based client software such as ltsql).
For full details see the LightDB password file documentation.
For use with ltcluster, the ~/.pgpass
must two entries for each
node in the replication cluster: one for the ltcluster user who accesses the ltcluster metadatabase,
and one for replication connections (regardless of whether a dedicated replication user is used).
The file must be present on each node in the replication cluster.
A ~/.pgpass
file for a 3-node cluster where the ltcluster
database user
is used for both for accessing the ltcluster metadatabase and for replication connections would look like this:
node1:5432:ltcluster:ltcluster:foo node1:5432:replication:ltcluster:foo node2:5432:ltcluster:ltcluster:foo node2:5432:replication:ltcluster:foo node3:5432:ltcluster:ltcluster:foo node3:5432:replication:ltcluster:foo
If a dedicated replication user (here: repluser
) is in use, the file would look like this:
node1:5432:ltcluster:ltcluster:foo node1:5432:replication:repluser:foo node2:5432:ltcluster:ltcluster:foo node2:5432:replication:repluser:foo node3:5432:ltcluster:ltcluster:foo node3:5432:replication:repluser:foo
If you are planning to use the -S
/--superuser
option,
there must also be an entry enabling the superuser to connect to the ltcluster database.
Assuming the superuser is lightdb
, the file would look like this:
node1:5432:ltcluster:ltcluster:foo node1:5432:ltcluster:lightdb:foo node1:5432:replication:repluser:foo node2:5432:ltcluster:ltcluster:foo node2:5432:ltcluster:lightdb:foo node2:5432:replication:repluser:foo node3:5432:ltcluster:ltcluster:foo node3:5432:ltcluster:lightdb:foo node3:5432:replication:repluser:foo
The ~/.pgpass
file can be simplified with the use of wildcards if
there is no requirement to restrict provision of passwords to particular hosts, ports
or databases. The preceding file could then be formatted like this:
*:*:*:ltcluster:foo *:*:*:lightdb:foo
It's possible to specify an alternative location for the ~/.pgpass
file, either via
the environment variable PGPASSFILE
, or (from LightDB 21) using the
passfile
parameter in connection strings.
If using the passfile
parameter, it's essential to ensure the file is in the same
location on all nodes, as when connecting to a remote node, the file referenced is the one on the
local node.
Additionally, you must specify the passfile location in ltcluster.conf
with the passfile
option so ltcluster can write the correct path when creating the
primary_conninfo
parameter for replication configuration on standbys.