Add documentation for Auth passthrough

magec · magec · commit be88dc182a79 · 2023-03-29T10:05:20.000+02:00
diff --git a/CONFIG.md b/CONFIG.md
@@ -175,11 +175,41 @@ Connecting to that database allows running commands like `SHOW POOLS`, `SHOW DAT
 ### admin_password
 ```
 path: general.admin_password
-default: "admin_pass"
+default: <UNSET>
 ```
 
 Password to access the virtual administrative database
 
+### auth_query (experimental)
+```
+path: general.auth_query
+default: <UNSET>
+```
+
+Query to be sent to servers to obtain the hash used for md5 authentication. The connection will be
+established using the database configured in the pool. This parameter is inherited by every pool
+and can be redefined in pool configuration.
+
+### auth_query_user (experimental)
+```
+path: general.auth_query_user
+default: <UNSET>
+```
+
+User to be used for connecting to servers to obtain the hash used for md5 authentication by sending the query
+specified in `auth_query_user`. The connection will be established using the database configured in the pool.
+This parameter is inherited by every pool and can be redefined in pool configuration.
+
+### auth_query_password (experimental)
+```
+path: general.auth_query_password
+default: <UNSET>
+```
+
+Password to be used for connecting to servers to obtain the hash used for md5 authentication by sending the query
+specified in `auth_query_user`. The connection will be established using the database configured in the pool.
+This parameter is inherited by every pool and can be redefined in pool configuration.
+
 ## `pools.<pool_name>` Section
 
 ### pool_mode
@@ -281,6 +311,30 @@ default: 3000
 
 Connect timeout can be overwritten in the pool
 
+### auth_query (experimental)
+```
+path: general.auth_query
+default: <UNSET>
+```
+
+Auth query can be overwritten in the pool
+
+### auth_query_user (experimental)
+```
+path: general.auth_query_user
+default: <UNSET>
+```
+
+Auth query user can be overwritten in the pool
+
+### auth_query_password (experimental)
+```
+path: general.auth_query_password
+default: <UNSET>
+```
+
+Auth query password can be overwritten in the pool
+
 ## `pools.<pool_name>.users.<user_index>` Section
 
 ### username
diff --git a/README.md b/README.md
@@ -25,6 +25,7 @@ PostgreSQL pooler and proxy (like PgBouncer) with support for sharding, load bal
 | Sharding using comments parsing/Regex | **Experimental** | Clients can include shard information (sharding key, shard ID) in the query comments. |
 | Automatic sharding | **Experimental** | PgCat can parse queries, detect sharding keys automatically, and route queries to the correct shard. |
 | Mirroring | **Experimental** | Mirror queries between multiple databases in order to test servers with realistic production traffic. |
+| Auth passthrough | **Experimental** | MD5 password authentication can be configured to use an `auth_query` so no cleartext passwords are needed in the config file.                         |
 
 
 ## Status
diff --git a/src/config.rs b/src/config.rs
@@ -413,12 +413,12 @@ pub struct Pool {
     pub shard_id_regex: Option<String>,
     pub regex_search_limit: Option<usize>,
 
-    pub shards: BTreeMap<String, Shard>,
-    pub users: BTreeMap<String, User>,
-
     pub auth_query: Option<String>,
     pub auth_query_user: Option<String>,
     pub auth_query_password: Option<String>,
+
+    pub shards: BTreeMap<String, Shard>,
+    pub users: BTreeMap<String, User>,
     // Note, don't put simple fields below these configs. There's a compatability issue with TOML that makes it
     // incompatible to have simple fields in TOML after complex objects. See
     // https://users.rust-lang.org/t/why-toml-to-string-get-error-valueaftertable/85903
