Scram auth

config-examples/odyssey-aq.conf

@@ -56,11 +56,12 @@ storage "postgres_server" {
 
 database default {
 	user default {
-		authentication "md5"
+		authentication "scram-sha-256"
 		auth_query "SELECT usename, passwd FROM pg_shadow WHERE usename=$1"
 		auth_query_user "admin"
 		auth_query_db "postgres"
-		storage_password "passwd"
+		storage_password "odyssey"
+		storage_user "odyssey"
 
 		storage "postgres_server"
 		pool "session"
@@ -85,61 +86,17 @@ database default {
 		server_lifetime 1901
 		log_debug no
 
-		quantiles "0.99,0.95,0.5"
-		client_max 107
-	}
-}
-
-database "postgres" {
-	user "user_aq" {
-		authentication "none"
-
-		storage "postgres_server"
-
-		pool "session"
-		storage_user "admin"
-		storage_db "postgres"
-
-		log_debug yes
-		pool_discard yes
-		pool_size 20
-		pool_routing "internal"
-
-		quantiles "0.99,0.95,0.5"
-		client_max 107
-	}
-
-
-	user "user_aq" {
-		authentication "md5"
-		auth_query "SELECT usename, passwd FROM pg_shadow WHERE usename=$1"
-		auth_query_user "admin"
-		auth_query_db "postgres"
-		storage_password "passwd"
-
-		storage "postgres_server"
-		storage_password "1"
-		pool "statement"
-		pool_size 1
-
-		pool_timeout 0
-		pool_ttl 60
-		pool_discard no
-		pool_cancel yes
-		pool_rollback yes
-
-		client_fwd_error yes
+#		add this options to backend-startup package
+		backend_startup_options {
+			"_pq_.service_auth_role" "odyssey"
+		}
 
-		application_name_add_host yes
-		reserve_session_server_connection no
-		server_lifetime 3600
-		log_debug no
 
 		quantiles "0.99,0.95,0.5"
 		client_max 107
 	}
-
 }
+
 storage "local" {
 	type "local"
 }

sources/auth.c

@@ -951,15 +951,15 @@ static inline int od_auth_backend_sasl_continue(od_server_t *server,
 	/* use storage or user password */
 	char *password;
 
-	if (client != NULL && client->password.password != NULL) {
+	if (route->rule->storage_password) {
+		password = route->rule->storage_password;
+	} else if (client != NULL && client->password.password != NULL) {
 		od_error(
 			&instance->logger, "auth", NULL, server,
 			"cannot authenticate with SCRAM secret from auth_query",
 			route->rule->db_name, route->rule->user_name);
 
 		return -1;
-	} else if (route->rule->storage_password) {
-		password = route->rule->storage_password;
 	} else if (route->rule->password) {
 		password = route->rule->password;
 	} else if (client->received_password.password) {

sources/rules.c

@@ -1355,6 +1355,7 @@ int od_rules_autogenerate_defaults(od_rules_t *rules, od_logger_t *logger)
 	if (!default_rule->storage_password) {
 		od_log(logger, "config", NULL, NULL,
 		       "skipping default internal rule auto-generation: default rule storage password not set");
+
 		return OK_RESPONSE;
 	}
 
@@ -1380,6 +1381,7 @@ int od_rules_autogenerate_defaults(od_rules_t *rules, od_logger_t *logger)
 
 /* force several default settings */
 #define OD_DEFAULT_INTERNAL_POLL_SZ 0
+
 	rule->pool->type = strdup("transaction");
 	if (rule->pool->type == NULL)
 		return NOT_OK_RESPONSE;