For security purposes it's desirable to protect database access using a password.
PostgreSQL has three ways of providing a password:
conninfo string
(e.g. "host=node1 dbname=repmgr user=repmgr password=foo")
PGPASSWORD)
We strongly advise against including the password in the conninfo string, as
this will result in the database password being exposed in various places, including in the
repmgr.conf file, the repmgr.nodes table, any output
generated by repmgr which lists the node conninfo strings (e.g.
repmgr cluster show) and in the repmgr log file,
particularly at log_level=DEBUG.
Currently repmgr does not fully support use of the password option in the
conninfo string.
Exporting the password as an environment variable (PGPASSWORD) is considered
less insecure, but the PostgreSQL documentation explicitly recommends against doing this:
| ||
| --Environment Variables | ||
The most secure option for managing passwords is to use a dedicated password file; see the following section for more details.
The most secure way of storing passwords is in a password file,
which by default is ~/.pgpass. This file
can only be read by the system user who owns the file, and
PostgreSQL will refuse to use the file unless read/write
permissions are restricted to the file owner. The password(s)
contained in the file will not be directly accessed by
repmgr (or any other libpq-based client software such as psql).
For full details see the PostgreSQL password file documentation.
For use with repmgr, the ~/.pgpass must two entries for each
node in the replication cluster: one for the repmgr user who accesses the repmgr metadatabase,
and one for replication connections (regardless of whether a dedicated replication user is used).
The file must be present on each node in the replication cluster.
A ~/.pgpass file for a 3-node cluster where the repmgr database user
is used for both for accessing the repmgr metadatabase and for replication connections would look like this:
node1:5432:repmgr:repmgr:foo node1:5432:replication:repmgr:foo node2:5432:repmgr:repmgr:foo node2:5432:replication:repmgr:foo node3:5432:repmgr:repmgr:foo node3:5432:replication:repmgr:foo
If a dedicated replication user (here: repluser) is in use, the file would look like this:
node1:5432:repmgr:repmgr:foo node1:5432:replication:repluser:foo node2:5432:repmgr:repmgr:foo node2:5432:replication:repluser:foo node3:5432:repmgr:repmgr:foo node3:5432:replication:repluser:foo
If you are planning to use the -S/--superuser option,
there must also be an entry enabling the superuser to connect to the repmgr database.
Assuming the superuser is postgres, the file would look like this:
node1:5432:repmgr:repmgr:foo node1:5432:repmgr:postgres:foo node1:5432:replication:repluser:foo node2:5432:repmgr:repmgr:foo node2:5432:repmgr:postgres:foo node2:5432:replication:repluser:foo node3:5432:repmgr:repmgr:foo node3:5432:repmgr:postgres:foo node3:5432:replication:repluser:foo
The ~/.pgpass file can be simplified with the use of wildcards if
there is no requirement to restrict provision of passwords to particular hosts, ports
or databases. The preceding file could then be formatted like this:
*:*:*:repmgr:foo *:*:*:postgres:foo
It's possible to specify an alternative location for the ~/.pgpass file, either via
the environment variable PGPASSFILE, or (from PostgreSQL 9.6) using the
passfile parameter in connection strings.
If using the passfile parameter, it's essential to ensure the file is in the same
location on all nodes, as when connecting to a remote node, the file referenced is the one on the
local node.
Additionally, you must specify the passfile location in repmgr.conf
with the passfile option so repmgr can write the correct path when creating the
primary_conninfo parameter for replication configuration on standbys.