Thread: create subscription, connection string, password in log not hide
Hello,
I am tring the use of Logical Replication with Postgres 10.1.
I installed two Postgres 10.1 on two different system Windows 64 bit.
I follow the chapter 31.9. Quick Setup
Everything function, that's good. I want to use in production.
But I found this problem:
I went to see in the log file of the two system what is going on.
I found in the log (C:\Program Files\PostgreSQL\10\data\log) of the subscriber the line of the command:
"CREATE SUBSCRIPTION mysub CONNECTION 'dbname=foo host=bar user=repuser password=secret' PUBLICATION mypub;"
Where I can see the connection string exactly as written with the password in clear.
I try to use the password with md5 hash ('md5'+md5(user+password)) and othe combination of encrypted password, in a similar way I can do with "CREATE USER WITH ENCRYPTED ...".
But it seemed to me that the only way is to use the password in clear.
There is any way to avoid to log the password in clear manner?
Thanks
Loris
I am tring the use of Logical Replication with Postgres 10.1.
I installed two Postgres 10.1 on two different system Windows 64 bit.
I follow the chapter 31.9. Quick Setup
Everything function, that's good. I want to use in production.
But I found this problem:
I went to see in the log file of the two system what is going on.
I found in the log (C:\Program Files\PostgreSQL\10\data\log) of the subscriber the line of the command:
"CREATE SUBSCRIPTION mysub CONNECTION 'dbname=foo host=bar user=repuser password=secret' PUBLICATION mypub;"
Where I can see the connection string exactly as written with the password in clear.
I try to use the password with md5 hash ('md5'+md5(user+password)) and othe combination of encrypted password, in a similar way I can do with "CREATE USER WITH ENCRYPTED ...".
But it seemed to me that the only way is to use the password in clear.
There is any way to avoid to log the password in clear manner?
Thanks
Loris
ferraresso@tin.it wrote:
> I am tring the use of Logical Replication with Postgres 10.1.
> But I found this problem:
> I went to see in the log file of the two system what is going on.
> I found in the log (C:\Program Files\PostgreSQL\10\data\log) of the subscriber the line of the command:
> "CREATE SUBSCRIPTION mysub CONNECTION 'dbname=foo host=bar user=repuser password=secret' PUBLICATION mypub;"
> Where I can see the connection string exactly as written with the password in clear.
> I try to use the password with md5 hash ('md5'+md5(user+password)) and othe combination of encrypted password, in a
similarway I can do with "CREATE USER WITH ENCRYPTED ...".
> But it seemed to me that the only way is to use the password in clear.
> There is any way to avoid to log the password in clear manner?
You can run
BEGIN;
SET LOCAL log_statement='none';
SET LOCAL log__min_duration_statement=-1;
CREATE SUBSCRIPTION ...;
COMMIT;
to disable logging for the duration of a transaction.
Alternatively, you could allow "trust" authentication for replication
connections from one machine, then you don't have to send a password.
Yours,
Laurenz Albe