sqlpostgresqlpostgresql-10pglogical

Can I use .pgpass in logical replication?

I'm using Logical replication. I made subscription like below. 

=# CREATE SUBSCRIPTION mysub CONNECTION 'host=xxx.xxx.xxx.xxx port=5432 
     user=postgres dbname=mydb password=<password>' PUBLICATION mypub;
NOTICE:  created replication slot "mysub" on publisher
CREATE SUBSCRIPTION

But I wonder if I can use .pgpass file to provide password. Of course, I tried it. But it failed like below.

=# CREATE SUBSCRIPTION mysub CONNECTION 'host=xxx.xxx.xxx.xxx port=5432 
    user=postgres dbname=mydb' PUBLICATION mypub;
ERROR:  could not connect to the publisher: fe_sendauth: no password supplied

[My .pgpass]

localhost:5432:postgres:postgres:<password>
localhost:5432:mydb:postgres:<password>
xxx.xxx.xxx.xxx:5432:mydb:postgres:<password>

This .pgpass file works well for pgAgent.

Can I use .pgpass file for logical replication? or Should I write my password in CREATE statement? If writing password in CREATE command is the only answer, is it secure?

Solution

  • https://www.postgresql.org/docs/10/static/sql-createsubscription.html

    CONNECTION 'conninfo' The connection string to the publisher. For details see

    https://www.postgresql.org/docs/10/static/libpq-connect.html#LIBPQ-CONNSTRING

    passfile

    Specifies the name of the file used to store passwords (see Section 33.15). Defaults to ~/.pgpass

    So yes - it should work. Lets mock up. First I deliberately use bad passfile to see if it's reflected in error:

    t=# CREATE SUBSCRIPTION mysub CONNECTION 'host=localhost port=5433 passfile=/tmp/p user=vao dbname=t' PUBLICATION mypub;
ERROR:  could not connect to the publisher: fe_sendauth: no password supplied

    no, it's not, but checking logs does:

    -bash-4.2$ tail /pg/d10/log/postgresql-Tue.log | grep WARN | tail -n 1
WARNING: password file "/tmp/p" has group or world access; permissions should be u=rw (0600) or less

    ok, try using the default:

    t=# CREATE SUBSCRIPTION mysub CONNECTION 'host=localhost port=5433 user=vao dbname=t' PUBLICATION mypub;
ERROR:  could not connect to the publisher: fe_sendauth: no password supplied

    and this time even no warning! so checking chmod:

    -bash-4.2$ ll ~/.pgpass
-r-------- 1 postgres postgres 1227 May 15 15:00 /home/vao/.pgpass

    looks good, but aha - no line for this connection, because below asks for password:

    -bash-4.2$ psql -h localhost -p 5433 -U vao t
Password for user vao:

    so:

    echo '*:*:*:vao:blah' > ~/.pgpass
-bash-4.2$ psql -h localhost -p 5433 -U vao t
psql: FATAL:  password authentication failed for user "vao"
password retrieved from file "/var/lib/pgsql93/.pgpass"

    aha - now it uses it, so back to SQL:

    t=# CREATE SUBSCRIPTION mysub CONNECTION 'host=localhost port=5433 user=vao dbname=t' PUBLICATION mypub;
ERROR:  could not connect to the publisher: FATAL:  password authentication failed for user "vao"
password retrieved from file "/var/lib/pgsql93/.pgpass"

    yes, you can use both specified and default pgpassword file for logical replication subscription