PgBouncer is a lightweight external connection pooler that can be introduced between an application and a PostgreSQL database. It manages its own user authentication and has its own database for users, and uses auth_type options to authenticate users. 

This blog post explains configuring PgBouncer auth_type trust and hba use cases with configuration examples and known issues.

Process:

auth_type = trust

With auth_type = trust, authentication is not done. The username must still exist in the auth_file.

Using auth_type = trust for the user via pgbouncer.

pgbouncer.ini:

Add an empty password in userlist.txt; otherwise, the pgbouncer gives this error: ERROR broken auth file:

PostgreSQL pg_hba.conf:

As we can see, testusr with auth_type trust can log in via pgbpuncer without a password.

pgbouncer log:

auth_type=hba

This loads the actual authentication type from the auth_hba_file. This allows different authentication methods for different access paths, such as trust, md5, scram-sha-25, etc.

Example:

pgbouncer.ini:

userlist.txt:

pg_hba.conf

Login tests from pgbouncer for trust, md5, scram-sha-25 auth method users:

trust:

pgbouncer log:

md5:

scram-sha-25:

auth_query method

If you do not want to mention all users in the auth_file, you can configure pgbouncer with auth_query.

We suggest using the auth_query method. This method minimizes the need to store password secrets outside the database, allowing you to use pgbouncer as a connection pooler while ensuring the maximum possible security offered by the password authentication scheme.

Let us consider another example.

pgbouncer.ini:

userlist.txt:

Add the pgbounceauth user entry in pg_hba.conf:

For auth_type=hba when using PAM authentication method in pg_hba.conf for a user, it has some issues as reported here: https://github.com/pgbouncer/pgbouncer/issues/1253, https://github.com/pgbouncer/pgbouncer/pull/1291.

Further reading

 


Enterprise PostgreSQL

Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments