Fix shadow auth for users defined under [users] section

[Justin-Kwan]

Description

When a user is not defined within userlist.txt and exists as a user in the Postgres server, PgBouncer should send an auth query to retrieve the user's md5 password hash in order to log the user in.

However, as outlined in issue: #484, if a user's password is not defined in userlist.txt and the user has overridden configurations under the [users] section in PgBouncer's ini file, the user is unable to login to the Postgres server through PgBouncer.

Root Cause

This happens because any users defined under [users] are parsed and added as new users in loader.c's parse_user. As result, when the real and live user connects, PgBouncer thinks they already exist (not NULL) and skips the shadow authorization process where the user's md5 password hash is queried from pg_shadow.

Fix

This PR introduces a new flag to track whether a user was created from ini file parsing or from a real live login. Then, we determine whether a new user logging in requires shadow authorization.

This fix should now allow PgBouncer operators to use the max_user_connections per user feature.

cc @viggy28

[Justin-Kwan]

These test cases are reproducible examples of bug (they fail without the fix): #484

[Justin-Kwan]

Copy over password of new login user to account for a single user that may have different passwords for multiple databases.

[JelteF]

So you are copying every time in case a user has a different password in different databases? I think even with this code that could lead to problems, because the original_user is shared between clients of different databases. So maybe we should just document that a user should not have different passwords for different databases when using auth_query/auth_user.

[Justin-Kwan]

Updated the PR. find_original_user no longer exists. To support a user logging into different databases with different passwords (usually when databases are on different hosts), each PgDatabase* now stores a list of user passwords.

struct PgDatabase {
	struct List head;
	char name[MAX_DBNAME];	/* db name for clients */
	struct AATree user_passwds;	/* user passwords for this database from auth_query */
...

struct PgUserPassword {
	struct AANode tree_node;	/* used to attach user password to tree */
	char username[MAX_USERNAME];
	char passwd[MAX_PASSWORD];
};

Semantically, this should be clearer since it models reality, where each database may have different passwords per user. PgUser* still retains a password field to store a password from auth_file which will be used (forced) by default if it exists, when connecting to any database.

Storing user passwords in each PgDatabase* also conveniently frees (purges) passwords whenever the database is killed in method kill_database to prevent stale logins. This is preferred over storing a list of passwords in PgUser* (which would require another scan to free users' passwords if belonging to a database killed).

[JelteF]

This change seems to somehow have been reverted on your branch. Possibly due to a rebase.

[JelteF]

The new tests that you added also pass with the following simpler version of find_original_user. Are the rest of things that you added to this function really necessary?

/* find original or preconfigured user given the login user */
PgUser *find_original_user(PgUser *login_user)
{
	/*
	 * The original user will either be the current login user, a preconfigured user via
	 * ini file [users] section, a preconfigured user via global auth_file, a PAM user,
	 * a user attached to a database via auth_query, a forced user with user= entry via
	 * ini file [databases] section, or not exist yet if the user has never connected.
	 */
	PgUser *original_user = find_user(login_user->name);

	/* add new login user to reload their configurations at runtime */
	if (original_user == NULL) {
		return login_user;
	}

	/* original user is no longer preconfigured and won't send auth queries on future login */
	if (original_user->is_preconfigured) {
		original_user->is_preconfigured = false;
		if (original_user->passwd[0] == '\0') {
			safe_strcpy(original_user->passwd, login_user->passwd, sizeof(original_user->passwd));
		}
	}

	return original_user;
}

[JelteF]

this strdup seems unnecessary, you should be able to copy the password directly from user to user.

[Justin-Kwan]

find_original_user no longer exists now.

[JelteF]

I'm not sure I understand what this is needed for. Can you add a test showing what you mean with the RELOAD behaviour that you want to support? i.e. one that fails without this put_in_order code.

[JelteF]

So you are copying every time in case a user has a different password in different databases? I think even with this code that could lead to problems, because the original_user is shared between clients of different databases. So maybe we should just document that a user should not have different passwords for different databases when using auth_query/auth_user.

[JelteF]

This function name isn't really descriptive of what this function is doing, especially the put_in_order call.

[JelteF]

Do you think it makes sense to include the same tests also for scram auth?

[Justin-Kwan]

Hi @JelteF! Thanks for taking a look at this PR. This PR is actually very outdated, I'm going to repush everything.

[Justin-Kwan]

We've been running these PgBouncer changes in primary production for nearly a month now with no issues.

Some more details around refactoring work done here:

Context:

• In the OSS PgBouncer, PgUser* may exist in multiple contexts: (see OSS discussion) pgbouncer crashes when user is equal to auth_user in database config #314 (comment)
• If a user is defined in userlist.txt or pgbouncer.ini [users] section, then they were stored in global user_tree
• Any user not defined in userlist.txt (requiring an auth_query to retrieve the user's password from Postgres) would be stored locally under PgDatabase->user_tree
• From this, you can imagine that a single user connecting to multiple databases would be duplicated in memory
• This is confusing to understand, because semantically, one user exists across all databases in a single Postgres cluster (host server)
• The fragmented storage of PgUser* prevents max_user_connections per user to function correctly, because PgUser* will be loaded from [users] and stored in the global user_tree. set_pool assumes that if a user is in the global tree, it's password exists in auth_file, however this may not be true (if a user with max_user_connections is defined in [users] but it's password is not defined in auth_file)

This PR:

• In order to correctly support global PgUser configuration settings (max_user_connections, etc.), all users now reside globally in user_tree to simplify centrally storing/enforcing configuration values against
• Refactors PgBouncer to handle multiple passwords per user
• PgDatabase->user_passwds contains all passwords for users to log into it (user with multiple passwords rather than multiple user instances)
• This approach was chosen to model reality where each database keeps track of all passwords for users all users
  It is cleaner to store user to password pairs per database because each user is unique by name (easily identifiable), storing the other way around (database to password pairs in PgUser would be more convoluted because database names aren't unique, and would require appending port, etc)
• When the database is periodically deallocated (in kill_database), all passwords will be cleanly freed as well, as opposed to having to make an expensive lookup through all users to find which have passwords for the freed database, and removing those passwords

[Justin-Kwan]

This is done to prevent unnecessary extra call to find_user.

[Justin-Kwan]

Existence of login_user does not imply authentication of the user, as the user could exist due to being parsed from [users] section, without a password in auth_file. This motivates the use of method user_requires_auth_query.

[Justin-Kwan]

Code cleanup to use two variables (simpler) rather than partial fields of PgUser* struct.

[Justin-Kwan]

We can leave PgUser*->passwd empty here because we've just received the user's password hash from Postgres pg_shadow and store it under the appropriate PgDatabase*. This means that the user's password must not be in auth_file.

[Justin-Kwan]

Lookup user's password from the database.

[Justin-Kwan]

Free user passwords associated to the database being killed.

[Justin-Kwan]

Flag that user was from auth_file to know whether to send off auth_query upon login.

[Justin-Kwan]

PgUserPassword* allocation/deallocation could be handled by the slab allocator if you prefer.

[Justin-Kwan]

This test ensures that PgUser* still globally exists (with configurations such as max_user_connections) even if a database (which contains one of its passwords) is freed.

[Justin-Kwan]

More test cases to ensure that users can still login with new password when it's changed at Postgres.

[Justin-Kwan]

A hashtable to store user passwords is more ideal but is more difficult as we'd have to pull in glibc.

[Justin-Kwan]

More cleanup to easily discern between the user's real password (from Postgres) vs client provided password.

[Justin-Kwan]

Cast db away from const* here. Alternatively could add const* modifier to signature aatree_search.

[JelteF]

Thanks for sharing the updated code, I'll try to look at it soonish. If you rebase with master the Alpine tests should hopefully start passing again. And one of the valgrind tests is currently failing, but seemingly a pretty unrelated test, so maybe it's just a flaky test.

[goksgie]

If I am not misinterpreting the final version of this PR, it does not contain the proposed design of maintaining user password in databases. Instead, it seems to be storing users in user_tree and update when new login is attempted. Is that the intended behavior?

Additionally, I do not think user_tree is getting cleared unlike databases. Thus, question becomes, what is the resource implications of this design, especially for those systems that rather have limited resources?

[Justin-Kwan]

Please take a look at this commit in our official fork of PgBouncer, this implements the newly proposed design (which has been running smoothly under the load of roughly 20K QPS in production): cloudflare@999133e

Hi @goksgie! In our workloads, tenants typically stay connected for long periods, and so the number of users should not be frequently changing or linearly increasing. Struct allocation should be fairly cheap even for a few thousand PgUser structs. However, if you're still concerned about active heap usage given many many users that become stale frequently (IMO an uncommon usage pattern), an eviction callback could be registered with libevent to periodically purge all users without custom configurations (with amortized cost of traversing all nodes).

I won't have any cycles to work on this PR as I am back in school now.

[JelteF]

Sorry for taking way too long to look at this again. But looking at the current change it seems that it has reverted back to one of the earliest versions of the PR because find_original_user is back (even though you mentioned that it is removed now).

Other than that:

1. This needs a rebase and should use the new testing infrastructure
2. We should probably have some cleanup mechanism for the users like @goksgie described

But mostly it seems problematic that this PR is containing the old code again, which means I cannot review the latest version.

[veshant]

Sorry for taking way too long to look at this again. But looking at the current change it seems that it has reverted back to one of the earliest versions of the PR because find_original_user is back (even though you mentioned that it is removed now).

Other than that:

1. This needs a rebase and should use the new testing infrastructure
2. We should probably have some cleanup mechanism for the users like @goksgie described

But mostly it seems problematic that this PR is containing the old code again, which means I cannot review the latest version.

It might be worth considering to merge the cf-pgbouncer fork. Probably requires some heavy refactoring but they have some useful fixes and features including the users section.