[MKSearch-dev] Postgres authentication

Phil Shaw phil at mkdoc.com
Fri Jan 13 08:07:37 GMT 2006 

Chris,

This starts out as an open window for typing notes into. Hopefully, 
it'll come to something useful.

First thing is that if you use the -h argument with the psql command 
line client to specify a host, you get the same error.

psql -h localhost mksearch_test
psql -h 127.0.0.1 mksearch_test

Both give: FATAL: Ident authentication failed for user "phil"

I adapted DatabaseStoreManager to use fully qualified database 
connection URLs, so we can change the host and port configuration if 
necessary.

I edited /var/lib/pgsql/data/pg_hba.conf and added this line:

host all all 127.0.0.1 255.255.255.255 trust

This still restricts remote access to the database, but is more 
liberal. It's good enough for the testing. The server needs a re-
start.

su postgres

bash-3.00$ pg_ctl reload -D /var/lib/pgsql/data
postmaster signalled

The test script/class then makes a connection successfully with user 
phil and no password (ident).

It is better to use a separate user account with password 
authentication and more limited rights. Use createuser with the -P 
flag to assign a password:

$ createuser webapp -P
Enter password for new user:
Enter it again:
Shall the new user be allowed to create databases (y/n) n
Shall the new user be allowed to create more users (y/n) n
CREATE USER

Then log in to the default database template to check

$ psql template1

# select * from pg_shadow;


Then check password access

$ psql template1 -U webapp -W

Fails because we do not have password authentication configured. You 
need to edit the pg_hba.conf file.

$ su
Password:

# vi /var/lib/pgsql/data/pg_hba.conf

Add the line:

host all all 127.0.0.1 255.255.255.255 password

(You can be more specific with the users and databases later.)

# su postgres

bash-3.00$ pg_ctl reload -D /var/lib/pgsql/data
postmaster signaled
bash-3.00$ exit
# exit

$ psql template1 -h localhost -U webapp -W
Password:

This is successful with the psql client, but doesn't work with the 
JDBC driver test. There is some progress, the postmaster confirms 
password authentication is active for this connection attempt:

FATAL: password authentication failed for user "webapp".

Turns out this was because of a coding error in the test class -- 
using the database url for the password! Corrected and re-compiled 
this works too.

...
Preparing to get a database connection.
Database connection successful.

Still the JSpider indexer does not load the database driver, but this 
was because of a classpath error in the java-jspider-pgsql.sh and 
java-jspider-pgsql.sh scripts, now corrected.

You'll need to update your working copy and re-compile with:

$mk_home/bin/jar-mksearch.sh

All the storage tables are created and owned by webapp, so the Tomcat 
database configuration must specify a user that has password 
authentication and the right to read those tables, e.g. webapp.

It turns out the war-mksearch.sh script needed an additional line to 
copy any database driver JAR in /WEB-INF/lib into the WAR, now 
checked in. Just copy the relevant database driver JAR into 

$mk_home/src/app/WEB-INF/lib

Then run $mk_home/bin/war-mksearch.sh and follow the documentation on 
Tomcat on FC4.

Success! I have indexed the MKSearch test site and deployed to Tomcat 
using database storage on FC4.

Best regards,

Phil



 











--
MKSearch (beta)

http://www.mksearch.mkdoc.org/

Free, open source metadata search engine with RDF storage and query.

More information about the MKSearch-dev mailing list