Skip to content

graph-node won't work with PGPASSFILE environment variable #4336

New issue
New issue
Open
Open
graph-node won't work with PGPASSFILE environment variable#4336
Labels
StaleopsRelevant to Graph Node OpssecurityPull requests that address a security vulnerability
@endersonmaia

Description

@endersonmaia
endersonmaia
opened on Feb 3, 2023

Do you want to request a feature or report a bug?

I think it's a BUG.

What is the current behavior?

Trying to configure graph-node inside a Kubernetes Pod that will connect to a PostgreSQL database using the PGPASSFILE, so that I don't need to place the password inside the config file.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.

If I define the connection string as connection="postgres://username@hostname:port/database" without the password, and defining a file with the folowing content:

/.pgpassfile (0600)

hostname:port:database:username:mysuperpassword

Confusing messages, postgres and graph-node says they failed to authenticate but then graph-node says it connects and finishes the migrations ? 🤔

postgres_1    | 2023-02-03 16:56:09.578 UTC [57] FATAL:  password authentication failed for user "graph-node"
postgres_1    | 2023-02-03 16:56:09.578 UTC [57] DETAIL:  Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
graph-node_1  | Feb 03 16:56:09.579 ERRO Failed to connect notification listener: db error: FATAL: password authentication failed for user "graph-node", retry_delay_s: 1, attempt: 0, channel: store_events, component: NotificationListener
graph-node_1  | Feb 03 16:56:09.579 INFO Connecting to Postgres, weight: 1, conn_pool_size: 10, url: postgresql://graph-node@postgres:5432/graph-node?sslmode=prefer, pool: main, shard: primary
graph-node_1  | Feb 03 16:56:09.580 INFO Pool successfully connected to Postgres, pool: main, shard: primary, component: Store
graph-node_1  | Feb 03 16:56:09.596 INFO Setting up fdw, pool: main, shard: primary, component: ConnectionPool
graph-node_1  | Feb 03 16:56:09.612 INFO Running migrations, pool: main, shard: primary, component: ConnectionPool
graph-node_1  | Feb 03 16:56:09.614 INFO Migrations finished, pool: main, shard: primary, component: ConnectionPool

And an ENV PGPASSFILE=/.pgpassfile, should be enough to make the connection.

PGPASSFILE will support any combination of credentials with a unique tuple hostname:port:database:username and lookup its password.

What is the expected behavior?

The expected behavior is for graph-node supports connecting to PostgreSQL database with password defined via PGPASSFILE.

Sources: https://www.postgresql.org/docs/13/libpq-pgpass.html

Metadata

Metadata

Assignees

No one assigned

    Labels

    StaleopsRelevant to Graph Node OpssecurityPull requests that address a security vulnerability

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions