Set password authentification to scram-sha-256 (#240)

* Set password authentification to scram-sha-256 * fix init startup and make the default pass auth to md5 * Update readme Co-authored-by: admire <admire@kartoza.com>
2020-05-01 07:33:49 +02:00 · 2020-05-01 07:33:49 +02:00 · 729d6d94fa
commit 729d6d94fa
--- a/README.md
+++ b/README.md
@ -128,6 +128,7 @@ You need to specify different empty directory, like this
 -e DEFAULT_ENCODING="UTF8" \
 -e DEFAULT_COLLATION="id_ID.utf8" \
 -e DEFAULT_CTYPE="id_ID.utf8" \
+-e --auth="md5" \
 -e INITDB_EXTRA_ARGS="<some more initdb command args>"
 ```

@ -141,6 +142,7 @@ If the container uses existing cluster, it will be ignored (for example, when th
 * `DEFAULT_COLLATION`: cluster collation
 * `DEFAULT_CTYPE`: cluster ctype
 * `WAL_SEGSIZE`: WAL segsize option
+* `--auth` : PASSWORD AUTHENTICATION
 * `INITDB_EXTRA_ARGS`: extra parameter that will be passed down to `initdb` command

 In addition to that, we have another parameter: `RECREATE_DATADIR` that can be used to force database reinitializations.
--- a/scripts/env-data.sh
+++ b/scripts/env-data.sh
@ -217,6 +217,10 @@ if [ -z "${SHARED_PRELOAD_LIBRARIES}" ]; then
    SHARED_PRELOAD_LIBRARIES='pg_cron'
 fi

+if [ -z "$PASSWORD_AUTHENTICATION" ]; then
+    PASSWORD_AUTHENTICATION="md5"
+fi
+
 # Compatibility with official postgres variable
 # Official postgres variable gets priority
 if [ -n "${POSTGRES_PASSWORD}" ]; then
--- a/scripts/setup-conf.sh
+++ b/scripts/setup-conf.sh
@ -49,6 +49,7 @@ recovery_target_action=${TARGET_ACTION}
 promote_trigger_file = '${PROMOTE_FILE}'
 shared_preload_libraries = '${SHARED_PRELOAD_LIBRARIES}'
 cron.database_name = '${SINGLE_DB}'
+password_encryption= '${PASSWORD_AUTHENTICATION}'
 EOF


--- a/scripts/setup-database.sh
+++ b/scripts/setup-database.sh
@ -13,8 +13,10 @@ if [[ -z "$(ls -A ${DATADIR} 2> /dev/null)" || "${RECREATE_DATADIR}" == 'TRUE' ]
    rm -rf ${DATADIR}/*
    chown -R postgres:postgres ${DATADIR}
    echo "Initializing with command:"
-    command="$INITDB -U postgres -E ${DEFAULT_ENCODING} --lc-collate=${DEFAULT_COLLATION} --lc-ctype=${DEFAULT_CTYPE} --wal-segsize=${WAL_SEGSIZE} -D ${DATADIR} ${INITDB_EXTRA_ARGS}"
+    echo "postgres" > /tmp/superuser_pass.txt
+    command="$INITDB -U postgres --pwfile "/tmp/superuser_pass.txt" -E ${DEFAULT_ENCODING} --lc-collate=${DEFAULT_COLLATION} --lc-ctype=${DEFAULT_CTYPE} --wal-segsize=${WAL_SEGSIZE} --auth=${PASSWORD_AUTHENTICATION} -D ${DATADIR} ${INITDB_EXTRA_ARGS}"
    su - postgres -c "$command"
+    rm /tmp/superuser_pass.txt
 fi;

 # Set proper permissions
--- a/scripts/setup-pg_hba.sh
+++ b/scripts/setup-pg_hba.sh
@ -17,14 +17,14 @@ cat ${ROOT_CONF}/pg_hba.conf.template > ${ROOT_CONF}/pg_hba.conf
 if [[ "$ALLOW_IP_RANGE" ]]
 then
 	echo "Add rule to pg_hba: $ALLOW_IP_RANGE"
- 	echo "host    all             all             $ALLOW_IP_RANGE              md5" >> ${ROOT_CONF}/pg_hba.conf
+ 	echo "host    all             all             $ALLOW_IP_RANGE              ${PASSWORD_AUTHENTICATION}" >> ${ROOT_CONF}/pg_hba.conf
 fi

 # check password first so we can output the warning before postgres
 # messes it up
 if [[ "$POSTGRES_PASS" ]]; then
 	pass="PASSWORD '$POSTGRES_PASS'"
-	authMethod=md5
+	authMethod=${PASSWORD_AUTHENTICATION}
 else
 	# The - option suppresses leading tabs but *not* spaces. :)
 	cat >&2 <<-'EOWARN'