4.8. Password Management

4.8.1. Password Management Options
4.8.2. Using a password file

4.8.1. Password Management Options

For security purposes it's desirable to protect database access using a password.

PostgreSQL has three ways of providing a password:

  • including the password in the conninfo string (e.g. "host=node1 dbname=repmgr user=repmgr password=foo")
  • exporting the password as an environment variable (PGPASSWORD)
  • storing the password in a dedicated password file

We strongly advise against including the password in the conninfo string, as this will result in the database password being exposed in various places, including in the repmgr.conf file, the repmgr.nodes table, any output generated by repmgr which lists the node conninfo strings (e.g. repmgr cluster show) and in the repmgr log file, particularly at log_level=DEBUG.

Note

Currently repmgr does not fully support use of the password option in the conninfo string.

Exporting the password as an environment variable (PGPASSWORD) is considered less insecure, but the PostgreSQL documentation explicitly recommends against doing this:

 

PGPASSWORD behaves the same as the password connection parameter. Use of this environment variable is not recommended for security reasons, as some operating systems allow non-root users to see process environment variables via ps; instead consider using a password file.

 
 --Environment Variables

The most secure option for managing passwords is to use a dedicated password file; see the following section for more details.

4.8.2. Using a password file

The most secure way of storing passwords is in a password file, which by default is ~/.pgpass. This file can only be read by the system user who owns the file, and PostgreSQL will refuse to use the file unless read/write permissions are restricted to the file owner. The password(s) contained in the file will not be directly accessed by repmgr (or any other libpq-based client software such as psql).

For full details see the PostgreSQL password file documentation.

For use with repmgr, the ~/.pgpass must two entries for each node in the replication cluster: one for the repmgr user who accesses the repmgr metadatabase, and one for replication connections (regardless of whether a dedicated replication user is used). The file must be present on each node in the replication cluster.

A ~/.pgpass file for a 3-node cluster where the repmgr database user is used for both for accessing the repmgr metadatabase and for replication connections would look like this:

node1:5432:repmgr:repmgr:foo
node1:5432:replication:repmgr:foo
node2:5432:repmgr:repmgr:foo
node2:5432:replication:repmgr:foo
node3:5432:repmgr:repmgr:foo
node3:5432:replication:repmgr:foo

If a dedicated replication user (here: repluser) is in use, the file would look like this:

node1:5432:repmgr:repmgr:foo
node1:5432:replication:repluser:foo
node2:5432:repmgr:repmgr:foo
node2:5432:replication:repluser:foo
node3:5432:repmgr:repmgr:foo
node3:5432:replication:repluser:foo

If you are planning to use the -S/--superuser option, there must also be an entry enabling the superuser to connect to the repmgr database. Assuming the superuser is postgres, the file would look like this:

node1:5432:repmgr:repmgr:foo
node1:5432:repmgr:postgres:foo
node1:5432:replication:repluser:foo
node2:5432:repmgr:repmgr:foo
node2:5432:repmgr:postgres:foo
node2:5432:replication:repluser:foo
node3:5432:repmgr:repmgr:foo
node3:5432:repmgr:postgres:foo
node3:5432:replication:repluser:foo

The ~/.pgpass file can be simplified with the use of wildcards if there is no requirement to restrict provision of passwords to particular hosts, ports or databases. The preceding file could then be formatted like this:

*:*:*:repmgr:foo
*:*:*:postgres:foo

Note

It's possible to specify an alternative location for the ~/.pgpass file, either via the environment variable PGPASSFILE, or (from PostgreSQL 9.6) using the passfile parameter in connection strings.

If using the passfile parameter, it's essential to ensure the file is in the same location on all nodes, as when connecting to a remote node, the file referenced is the one on the local node.

Additionally, you must specify the passfile location in repmgr.conf with the passfile option so repmgr can write the correct path when creating the primary_conninfo parameter for replication configuration on standbys.