- 论坛徽章:
- 3
|
为了加强数据库的安全,准备把数据库中的“trust"验证方法都改成“ident”,这样避免这台机器的任何OS用户都可以进入数据库的风险。
所以先在一个测试的greenplum集群中做测试,把pg_hba.conf内容设置:
local all gpadmin ident
host all gpadmin 127.0.0.1/32 ident
host all gpadmin 10.20.129.148/32 md5
host all gpadmin 192.168.129.148/32 md5
host all gpadmin 192.168.129.21/32 md5
host all gpadmin 192.168.129.22/32 md5
host all gpadmin 192.168.129.23/32 md5
host all gpadmin 192.168.129.24/32 md5
然后启动greenplum,发现无法启动:
[gpadmin@inc-dba-gp-129-148 /gpdata/gp-1]$gpstart -a
20110802:15:10:07:gpstart:inc-dba-gp-129-148:gpadmin-[INFO]:-Starting gpstart with args: '-a'
20110802:15:10:07:gpstart:inc-dba-gp-129-148:gpadmin-[INFO]:-Gathering information and validating the environment...
20110802:15:10:07:gpstart:inc-dba-gp-129-148:gpadmin-[INFO]:-local Greenplum Version: 'postgres (Greenplum Database) 3.3.7.0 build 1'
20110802:15:10:07:gpstart:inc-dba-gp-129-148:gpadmin-[INFO]:-Starting Master instance in admin mode
20110802:15:11:07:gpstart:inc-dba-gp-129-148:gpadmin-[CRITICAL]:-Failed to start Master instance in admin mode
20110802:15:11:07:gpstart:inc-dba-gp-129-148:gpadmin-[CRITICAL]:-Error occurred: non-zero rc: 1
Command was: '$GPHOME/bin/pg_ctl -w -D /gpdata/gp-1 -l /gpdata/gp-1/pg_log/startup.log -o " -c gp_role=utility -i -p 5432 --silent-mode=true " start '
rc=1, stdout='waiting for server to start...............................................................could not start server: Failed to test postmaster connection
', stderr=''
但使用ps -ef看进程,发现master上的postgres已经起来了。
使用gpstop无法停止master:
[gpadmin@inc-dba-gp-129-147 /gpdata/gpseg-1]$gpstop -m
20110802:14:52:01:gpstop:inc-dba-gp-129-147:gpadmin-[INFO]:-Starting gpstop with args: '-m'
20110802:14:52:01:gpstop:inc-dba-gp-129-147:gpadmin-[INFO]:-Gathering information and validating the environment...
20110802:14:52:01:gpstop:inc-dba-gp-129-147:gpadmin-[INFO]:-Obtaining Greenplum Master catalog information
20110802:14:52:01:gpstop:inc-dba-gp-129-147:gpadmin-[INFO]:-Obtaining Segment details from master...
20110802:14:52:01:gpstop:inc-dba-gp-129-147:gpadmin-[CRITICAL]:-gpstop failed. (Reason='FATAL: Ident authentication failed for user "gpadmin"
') exiting...
使用命令连接数据库:
PGOPTIONS='-c gp_session_role=utility' psql -h127.0.0.1 -p5432 -d template1 -Ugpadmin
psql: FATAL: Ident authentication failed for user "gpadmin"
不能连接,但不输入127.0.0.1的IP可以:
[gpadmin@inc-dba-gp-129-148 /gpdata/gp-1]$PGOPTIONS='-c gp_session_role=utility' psql -Ugpadmin testdb
psql (8.2.13)
Type "help" for help.
检查数据库日志,发现如下错误:
2011-08-02 17:16:45.623570 CST,"gpadmin","template1",p29137,th1,"127.0.0.1","55388",2011-08-02 17:16:45 CST,0,,,seg-1,,,,,"LOG","XX000","could not connect to Ident server at address ""127.0.0.1"", port 113: 不允许联接 (auth.c:1599)",,,,,,,0,,"auth.c",1599,
2011-08-02 17:16:45.624033 CST,"gpadmin","template1",p29137,th1,"127.0.0.1","55388",2011-08-02 17:16:45 CST,0,,,seg-1,,,,,"FATAL","28000","Ident authentication failed for user ""gpadmin""",,,,,,,0,,"auth.c",283,"Traceback 0: a120f6: /opt/greenplum/greenplum-db-3.3.7.0/bin/postgres errstart+0x3e6
Traceback 1: 747691: /opt/greenplum/greenplum-db-3.3.7.0/bin/postgres ClientAuthentication+0x121
Traceback 2: 849420: /opt/greenplum/greenplum-db-3.3.7.0/bin/postgres ClosePostmasterPorts+0x5610
Traceback 3: 84a6e9: /opt/greenplum/greenplum-db-3.3.7.0/bin/postgres PostmasterMain+0x959
Traceback 4: 76acb4: /opt/greenplum/greenplum-db-3.3.7.0/bin/postgres main+0x474
Traceback 5: 4dad8c: /opt/greenplum/greenplum-db-3.3.7.0/bin/postgres _start+0x6c
估计是当使用127.0.0.1连接数据库时,需要走网络的ident验证,而solaris下不知道如何开启ident服务。所以就想,既然通过本地的UNIX端口连接进去,所以能否让gpstart和gpstop脚本不指定HOST呢?通过debug gpstop脚本:
[gpadmin@inc-dba-gp-129-148 /gpdata/gp-1]$python -m pdb /opt/greenplum/greenplum-db/./bin/gpstop
> /opt/greenplum/greenplum-db/bin/gpstop(5)<module>()
631行:
> /opt/greenplum/greenplum-db/bin/gpstop(631)main()
-> if gpstop.stop():
> /opt/greenplum/greenplum-db/bin/gpstop(136)_prepare()
-> self._build_gparray()
发现,如果我们设置环境变量PGHOST为一个空字符串,就可以了:
export PGHOST=''
gpstart
发现数据库可以正常启动了 |
|