我可以在逻辑复制中使用.pgpass吗？

Question

I'm using Logical replication. I made subscription like below.

=# CREATE SUBSCRIPTION mysub CONNECTION 'host=xxx.xxx.xxx.xxx port=5432 
     user=postgres dbname=mydb password=<password>' PUBLICATION mypub;
NOTICE:  created replication slot "mysub" on publisher
CREATE SUBSCRIPTION

But I wonder if I can use .pgpass file to provide password. Of course, I tried it. But it failed like below.

=# CREATE SUBSCRIPTION mysub CONNECTION 'host=xxx.xxx.xxx.xxx port=5432 
    user=postgres dbname=mydb' PUBLICATION mypub;
ERROR:  could not connect to the publisher: fe_sendauth: no password supplied

[My .pgpass]

localhost:5432:postgres:postgres:<password>
localhost:5432:mydb:postgres:<password>
xxx.xxx.xxx.xxx:5432:mydb:postgres:<password>

This .pgpass file works well for pgAgent.

Can I use .pgpass file for logical replication? or Should I write my password in CREATE statement? If writing password in CREATE command is the only answer, is it secure?

Answer 1

https://www.postgresql.org/docs/10/static/sql-createsubscription.html

CONNECTION 'conninfo' The connection string to the publisher. For details see

https://www.postgresql.org/docs/10/static/libpq-connect.html#LIBPQ-CONNSTRING

passfile

Specifies the name of the file used to store passwords (see Section 33.15). Defaults to ~/.pgpass

So yes - it should work. Lets mock up. First I deliberately use bad passfile to see if it's reflected in error:

t=# CREATE SUBSCRIPTION mysub CONNECTION 'host=localhost port=5433 passfile=/tmp/p user=vao dbname=t' PUBLICATION mypub;
ERROR:  could not connect to the publisher: fe_sendauth: no password supplied

no, it's not, but checking logs does:

-bash-4.2$ tail /pg/d10/log/postgresql-Tue.log | grep WARN | tail -n 1
WARNING: password file "/tmp/p" has group or world access; permissions should be u=rw (0600) or less

ok, try using the default:

t=# CREATE SUBSCRIPTION mysub CONNECTION 'host=localhost port=5433 user=vao dbname=t' PUBLICATION mypub;
ERROR:  could not connect to the publisher: fe_sendauth: no password supplied

and this time even no warning! so checking chmod:

-bash-4.2$ ll ~/.pgpass
-r-------- 1 postgres postgres 1227 May 15 15:00 /home/vao/.pgpass

looks good, but aha - no line for this connection, because below asks for password:

-bash-4.2$ psql -h localhost -p 5433 -U vao t
Password for user vao:

so:

echo '*:*:*:vao:blah' > ~/.pgpass
-bash-4.2$ psql -h localhost -p 5433 -U vao t
psql: FATAL:  password authentication failed for user "vao"
password retrieved from file "/var/lib/pgsql93/.pgpass"

aha - now it uses it, so back to SQL:

t=# CREATE SUBSCRIPTION mysub CONNECTION 'host=localhost port=5433 user=vao dbname=t' PUBLICATION mypub;
ERROR:  could not connect to the publisher: FATAL:  password authentication failed for user "vao"
password retrieved from file "/var/lib/pgsql93/.pgpass"

yes, you can use both specified and default pgpassword file for logical replication subscription

Answer 2

[Solved] I did like this.

• In .pgpass

   (IP of publisher):5432:mydb:postgres:(my password) 

• Changed owner, group of .pgpass to 'postgres'

   -rw-------. 1 postgres postgres 163 5월 18 06:06 .pgpass 

( When owner and group of .pgpass was 'pgagent', "fe_sendauth: no password supplied" occured. )

• After log in to DB

   =# create subscription mysub connection 'host=(IP of publisher) port=5432 user=postgres dbname=mydb passfile=/var/lib/pgsql/.pgpass' publication mypub; 

It works well ^^