Bug 863402

Summary: Candlepin assume that root can connect to PG without password
Product: Red Hat Satellite Reporter: Miroslav Suchý <msuchy>
Component: Subscription ManagementAssignee: candlepin-bugs
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.0.1CC: bkearney, lzap, mastahnke
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-08 08:11:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 771481, 850569    

Description Miroslav Suchý 2012-10-05 11:34:28 UTC 
Description of problem:
During work on 
https://bugzilla.redhat.com/show_bug.cgi?id=850569

I find that if you tighten security and you flip trust to ident in pg_hba.conf, candlepin fail with:

Creating candlepin database

########## ERROR ############
Error running command: createdb -U candlepin candlepin
Status code: 256
Command output: createdb: could not connect to database postgres: FATAL:  Peer authentication failed for user "candlepin"
Traceback (most recent call last):
  File "/usr/share/candlepin/cpdb", line 126, in <module>
    dbsetup.create()
  File "/usr/share/candlepin/cpdb", line 58, in create
    error_out(command, status, output)
  File "/usr/share/candlepin/cpdb", line 40, in error_out
    raise Exception("Error running command")
Exception: Error running command

Version-Release number of selected component (if applicable):
candlepin-0.7.8.2-1.fc16.noarch
Comment 1 Miroslav Suchý 2012-10-05 11:43:34 UTC 
For testing purposses you may test it with pg_hba.conf set to:

local katelloschema katellouser md5
host  katelloschema katellouser 127.0.0.1/8 md5
host  katelloschema katellouser ::1/128 md5

local candlepin postgres md5
host  candlepin postgres 127.0.0.1/8 md5
host  candlepin postgres ::1/128 md5

local foreman foreman md5
host  foreman foreman 127.0.0.1/8 md5
host  foreman foreman ::1/128 md5

# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD

local   all       all                               ident
host    all       all         127.0.0.1/32          ident
host    all       all         ::1/128               ident
Comment 3 Miroslav Suchý 2012-10-05 11:57:52 UTC 
And if you run cpdb as as postgres user, you will get:

[root@nec-em11 ~]# su - postgres -c '/usr/share/candlepin/cpdb --create -u postgres -d candlepin'
Creating candlepin database
Loading candlepin schema

########## ERROR ############
Error running command: liquibase --driver=org.postgresql.Driver --classpath=/usr/share/java/postgresql-jdbc.jar:/var/lib/tomcat6/webapps/candlepin/WEB-INF/classes/ --changeLogFile=db/changelog/changelog-create.xml --url=jdbc:postgresql:candlepin --username=postgres migrate
Status code: 65280
Command output: Liquibase Update Failed: FATAL: Ident authentication failed for user "postgres"
SEVERE 10/5/12 7:41 AM:liquibase: FATAL: Ident authentication failed for user "postgres"
liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: FATAL: Ident authentication failed for user "postgres"


So you basicaly either do not specify username at all or use both username *and* password.
Comment 4 Lukas Zapletal 2012-10-08 07:58:37 UTC 
Please see:

https://bugzilla.redhat.com/show_bug.cgi?id=850002
https://bugzilla.redhat.com/show_bug.cgi?id=850570

I am already working on it.
Comment 5 Lukas Zapletal 2012-10-08 08:11:04 UTC 

*** This bug has been marked as a duplicate of bug 850570 ***
Comment 6 Mike McCune 2013-08-16 18:24:07 UTC 
getting rid of 6.0.0 version since that doesn't exist
Comment 7 Michael Stahnke 2014-08-13 20:47:09 UTC 
I can't see bug 850570 so, closing this one without resolution and having the other one be the tracker kind of stinks.  Could we either make the duplicate bug public or add resolutions in here?