From 729d6d94fa282e08677639e2e05899edc6a22e47 Mon Sep 17 00:00:00 2001 From: mazano Date: Fri, 1 May 2020 07:33:49 +0200 Subject: [PATCH] Set password authentification to scram-sha-256 (#240) * Set password authentification to scram-sha-256 * fix init startup and make the default pass auth to md5 * Update readme Co-authored-by: admire --- README.md | 2 ++ scripts/env-data.sh | 4 ++++ scripts/setup-conf.sh | 1 + scripts/setup-database.sh | 4 +++- scripts/setup-pg_hba.sh | 4 ++-- 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7ecc61c..2a8929a 100644 --- a/README.md +++ b/README.md @@ -128,6 +128,7 @@ You need to specify different empty directory, like this -e DEFAULT_ENCODING="UTF8" \ -e DEFAULT_COLLATION="id_ID.utf8" \ -e DEFAULT_CTYPE="id_ID.utf8" \ +-e --auth="md5" \ -e INITDB_EXTRA_ARGS="" ``` @@ -141,6 +142,7 @@ If the container uses existing cluster, it will be ignored (for example, when th * `DEFAULT_COLLATION`: cluster collation * `DEFAULT_CTYPE`: cluster ctype * `WAL_SEGSIZE`: WAL segsize option +* `--auth` : PASSWORD AUTHENTICATION * `INITDB_EXTRA_ARGS`: extra parameter that will be passed down to `initdb` command In addition to that, we have another parameter: `RECREATE_DATADIR` that can be used to force database reinitializations. diff --git a/scripts/env-data.sh b/scripts/env-data.sh index a3191b2..179b49c 100644 --- a/scripts/env-data.sh +++ b/scripts/env-data.sh @@ -217,6 +217,10 @@ if [ -z "${SHARED_PRELOAD_LIBRARIES}" ]; then SHARED_PRELOAD_LIBRARIES='pg_cron' fi +if [ -z "$PASSWORD_AUTHENTICATION" ]; then + PASSWORD_AUTHENTICATION="md5" +fi + # Compatibility with official postgres variable # Official postgres variable gets priority if [ -n "${POSTGRES_PASSWORD}" ]; then diff --git a/scripts/setup-conf.sh b/scripts/setup-conf.sh index 667f306..19231da 100644 --- a/scripts/setup-conf.sh +++ b/scripts/setup-conf.sh @@ -49,6 +49,7 @@ recovery_target_action=${TARGET_ACTION} promote_trigger_file = '${PROMOTE_FILE}' shared_preload_libraries = '${SHARED_PRELOAD_LIBRARIES}' cron.database_name = '${SINGLE_DB}' +password_encryption= '${PASSWORD_AUTHENTICATION}' EOF diff --git a/scripts/setup-database.sh b/scripts/setup-database.sh index da3598e..feb79ed 100644 --- a/scripts/setup-database.sh +++ b/scripts/setup-database.sh @@ -13,8 +13,10 @@ if [[ -z "$(ls -A ${DATADIR} 2> /dev/null)" || "${RECREATE_DATADIR}" == 'TRUE' ] rm -rf ${DATADIR}/* chown -R postgres:postgres ${DATADIR} echo "Initializing with command:" - command="$INITDB -U postgres -E ${DEFAULT_ENCODING} --lc-collate=${DEFAULT_COLLATION} --lc-ctype=${DEFAULT_CTYPE} --wal-segsize=${WAL_SEGSIZE} -D ${DATADIR} ${INITDB_EXTRA_ARGS}" + echo "postgres" > /tmp/superuser_pass.txt + command="$INITDB -U postgres --pwfile "/tmp/superuser_pass.txt" -E ${DEFAULT_ENCODING} --lc-collate=${DEFAULT_COLLATION} --lc-ctype=${DEFAULT_CTYPE} --wal-segsize=${WAL_SEGSIZE} --auth=${PASSWORD_AUTHENTICATION} -D ${DATADIR} ${INITDB_EXTRA_ARGS}" su - postgres -c "$command" + rm /tmp/superuser_pass.txt fi; # Set proper permissions diff --git a/scripts/setup-pg_hba.sh b/scripts/setup-pg_hba.sh index f695597..fd2f0b5 100644 --- a/scripts/setup-pg_hba.sh +++ b/scripts/setup-pg_hba.sh @@ -17,14 +17,14 @@ cat ${ROOT_CONF}/pg_hba.conf.template > ${ROOT_CONF}/pg_hba.conf if [[ "$ALLOW_IP_RANGE" ]] then echo "Add rule to pg_hba: $ALLOW_IP_RANGE" - echo "host all all $ALLOW_IP_RANGE md5" >> ${ROOT_CONF}/pg_hba.conf + echo "host all all $ALLOW_IP_RANGE ${PASSWORD_AUTHENTICATION}" >> ${ROOT_CONF}/pg_hba.conf fi # check password first so we can output the warning before postgres # messes it up if [[ "$POSTGRES_PASS" ]]; then pass="PASSWORD '$POSTGRES_PASS'" - authMethod=md5 + authMethod=${PASSWORD_AUTHENTICATION} else # The - option suppresses leading tabs but *not* spaces. :) cat >&2 <<-'EOWARN'