Add auth passthrough (auth_query)

Add `auth_query` feature

Adds a feature that allows setting auth passthrough for md5 auth.
It adds 4 new general config parameters:

- `auth_query`: An string containing a query that will be executed on boot
to obtain the hash of a given user. This query have to use a placeholder `$1`,
so pgcat can replace it with the user its trying to fetch the hash from.
- `auth_query_user`: The user to use for connecting to the server and executing the
auth_query.
- `auth_query_password`: The password to use for connecting to the server and executing the
auth_query.
- `auth_query_database`: The database to use for connecting to the server and executing the
auth_query.

The behavior is, at boot time, when validating server connections, a hash is fetched per server
and stored there. When new server connections are created, that hash is used for creating them,
if the hash could not be obtained for whatever reason, it falls back to the password set.

Client connections are also authenticated using the obtained hash.

Fix error message info parameters (username <-> pool_name)

Make reporter optional in server definition

We use server connections for pools but also for fetching auth
hashes if query_auth is set up. As we do not want to mess with stats
this change allows reporter to be optional.

Change AuthPassthrough::fetch_hah to use Address username

Allow query_auth configuration reload

This adds support for reloading query_auth configuration.

Current implementation:

- Checks whether `auth_query` configuration is active, if so, it fetches
  (or refetches) hashes from servers and sets up pools. When it detects a
  password change, the pool is dropped and a new one is created, current
  established connections will be left connected.
- When we go from 'auth_query' configured to unconfigured the reload logic
  detects it and drops Md5 hashes stored in connection pools, so cleartext
  passwords are used instead.

Add tests for `query_auth` reload functionality

This change adds tests for query_auth configuration reload and also
does some refactoring.

- Now postgres containers in `docker-compose` are set to use md5 auth.
  Note that this still uses scram if the password is stored using scram.

- Current tests are:
    - Test that activating the functionality can be added without restarting.
    - Test that with a failing `query_auth`, clear text passwords are used.
    - Test that with a correct `query_auth` and without clear text passwords,
      auth works as expected.
    - Test that when we change a password in postgres and reload, the new password is obtained,
      and the pool rotated.
    - Test that we can use and ENV var to set `auth_query_password`.

Change auth_query config to be per pool instead of global.

Given that we can connect to different username/databases/servers using
connection pools, it makes sense that `auth_query` should be configured in a
per pool basis.

This change implements that and also leaves the global parameters so pool
configuration can inherit global ones.

Note that now, `auth_query_database` is dropped in favor of the pool configured
database.

Author: magec

.rustfmt.toml

@@ -0,0 +1 @@
+edition = "2021"

Cargo.lock

@@ -4,7 +4,6 @@ version = "0.6.0-alpha1"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
 [dependencies]
 tokio = { version = "1", features = ["full"] }
 bytes = "1"
@@ -37,6 +36,8 @@ exitcode = "1.1.2"
 futures = "0.3"
 socket2 = { version = "0.4.7", features = ["all"] }
 nix = "0.26.2"
+postgres-protocol = "0.6.4"
+fallible-iterator = "0.2"
 
 [target.'cfg(not(target_env = "msvc"))'.dependencies]
 jemallocator = "0.5.0"

Cargo.toml

@@ -34,7 +34,6 @@ services:
       POSTGRES_INITDB_ARGS: --auth-local=md5 --auth-host=md5 --auth=md5
       PGPORT: 5432
     command: ["postgres", "-c", "shared_preload_libraries=pg_stat_statements", "-c", "pg_stat_statements.track=all", "-p", "5432"]
-
   pg2:
     <<: *common-definition-pg
     environment:
@@ -56,6 +55,13 @@ services:
       POSTGRES_INITDB_ARGS: --auth-local=scram-sha-256 --auth-host=scram-sha-256 --auth=scram-sha-256
       PGPORT: 9432
     command: ["postgres", "-c", "shared_preload_libraries=pg_stat_statements", "-c", "pg_stat_statements.track=all", "-p", "9432"]
+  pg5:
+    <<: *common-definition-pg
+    environment:
+      <<: *common-env-pg
+      POSTGRES_INITDB_ARGS: --auth-local=md5 --auth-host=md5 --auth=md5
+      PGPORT: 10432
+    command: ["postgres", "-c", "shared_preload_libraries=pg_stat_statements", "-c", "pg_stat_statements.track=all", "-p", "10432"]      
 
   toxiproxy:
     build: .
@@ -69,6 +75,7 @@ services:
       - pg2
       - pg3
       - pg4
+      - pg5
 
   pgcat-shell:
     stdin_open: true

dev/docker-compose.yaml

@@ -0,0 +1,132 @@
+#
+# PgCat config example.
+#
+
+#
+# General pooler settings
+[general]
+# What IP to run on, 0.0.0.0 means accessible from everywhere.
+host = "0.0.0.0"
+
+# Port to run on, same as PgBouncer used in this example.
+port = 6432
+
+# Whether to enable prometheus exporter or not.
+enable_prometheus_exporter = true
+
+# Port at which prometheus exporter listens on.
+prometheus_exporter_port = 9930
+
+# How long to wait before aborting a server connection (ms).
+connect_timeout = 5000
+
+# How long an idle connection with a server is left open (ms).
+idle_timeout = 30000
+
+# How much time to give the health check query to return with a result (ms).
+healthcheck_timeout = 1000
+
+# How long to keep connection available for immediate re-use, without running a healthcheck query on it
+healthcheck_delay = 30000
+
+# How much time to give clients during shutdown before forcibly killing client connections (ms).
+shutdown_timeout = 60000
+
+# For how long to ban a server if it fails a health check (seconds).
+ban_time = 60 # seconds
+
+# If we should log client connections
+log_client_connections = false
+
+# If we should log client disconnections
+log_client_disconnections = false
+
+# Reload config automatically if it changes.
+autoreload = false
+
+# Number of worker threads the Runtime will use (4 by default).
+worker_threads = 5
+
+# TLS
+# tls_certificate = "server.cert"
+# tls_private_key = "server.key"
+
+# Credentials to access the virtual administrative database (pgbouncer or pgcat)
+# Connecting to that database allows running commands like `SHOW POOLS`, `SHOW DATABASES`, etc..
+admin_username = "admin_user"
+admin_password = "admin_pass"
+
+auth_query = "SELECT 1"
+auth_query_user = "testuser"
+
+# pool
+# configs are structured as pool.<pool_name>
+# the pool_name is what clients use as database name when connecting
+# For the example below a client can connect using "postgres://sharding_user:sharding_user@pgcat_host:pgcat_port/sharded_db"
+[pools.sharded_db]
+# Pool mode (see PgBouncer docs for more).
+# session: one server connection per connected client
+# transaction: one server connection per client transaction
+pool_mode = "transaction"
+
+# If the client doesn't specify, route traffic to
+# this role by default.
+#
+# any: round-robin between primary and replicas,
+# replica: round-robin between replicas only without touching the primary,
+# primary: all queries go to the primary unless otherwise specified.
+default_role = "any"
+
+# Query parser. If enabled, we'll attempt to parse
+# every incoming query to determine if it's a read or a write.
+# If it's a read query, we'll direct it to a replica. Otherwise, if it's a write,
+# we'll direct it to the primary.
+query_parser_enabled = true
+
+# If the query parser is enabled and this setting is enabled, the primary will be part of the pool of databases used for
+# load balancing of read queries. Otherwise, the primary will only be used for write
+# queries. The primary can always be explicitly selected with our custom protocol.
+primary_reads_enabled = true
+
+# So what if you wanted to implement a different hashing function,
+# or you've already built one and you want this pooler to use it?
+#
+# Current options:
+#
+# pg_bigint_hash: PARTITION BY HASH (Postgres hashing function)
+# sha1: A hashing function based on SHA1
+#
+sharding_function = "pg_bigint_hash"
+
+# Automatically parse this from queries and route queries to the right shard!
+automatic_sharding_key = "id"
+
+# Idle timeout can be overwritten in the pool
+idle_timeout = 40000
+
+# Credentials for users that may connect to this cluster
+[pools.sharded_db.users.0]
+username = "sharding_user"
+# Maximum number of server connections that can be established for this user
+# The maximum number of connection from a single Pgcat process to any database in the cluster
+# is the sum of pool_size across all users.
+pool_size = 9
+
+# Maximum query duration. Dangerous, but protects against DBs that died in a non-obvious way.
+statement_timeout = 0
+
+[pools.sharded_db.users.1]
+username = "other_user"
+password = "other_user"
+pool_size = 21
+statement_timeout = 15000
+
+# Shard 0
+[pools.sharded_db.shards.0]
+# [ host, port, role ]
+servers = [
+    [ "127.0.0.1", 5432, "primary" ],
+    [ "localhost", 5432, "replica" ]
+]
+# Database name (e.g. "postgres")
+database = "shard0"