c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 853612] Re: OpenERP client fails to connect with a restricted pg_hba.conf

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: Ian Beardslee <853612@xxxxxxxxxxxxxxxxxx>
Date: Mon, 19 Sep 2011 03:36:04 -0000
Reply-to: Bug 853612 <853612@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

And now for some further complications .. the above fix is than ideal.
Because 'template1' are used as a template for new databases, it has
been recommended to us that connecting to the 'postgres' database would
be preferred to connecting to the 'template1' (or 'template0')
databases.   Once again this is likely to only be an issue in a
shared/managed environment.

A change to '/usr/share/pyshared/openerp-server/service/web_services.py'
fixes that (patch to come).

 sed -i s/db_connect\(\'template1\'\)/db_connect\(\'postgres\'\)/
/usr/share/pyshared/openerp-server/service/web_services.py

But now to make that more complicated, creating a new database requires
access to the template0 .. and of course the new database would need to
be enabled in the pg_hba.conf once it is created.  But remember that
this is bug is probably isolated to a shared environment where creating
databases is a controlled process where the DBA would be working with
the OpenERP user to create required databases.

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to OpenERP Project Group.
https://bugs.launchpad.net/bugs/853612

Title:
  OpenERP client fails to connect with a restricted pg_hba.conf

Status in OpenERP Server:
  New

Bug description:
  Using OpenERP 6.0.3 the client fails with "Could not connect to
  server" if the server's pg_hba.conf restricts access to 'template1'.

  This bug may only affect people in a shared environment with multiple
  apps with their own databases hosted on the same instance of postgres.
  In a managed environment, it'd be expected that database access would
  be controlled via pg_hba.conf

  Initially we had /etc/postgresql/8.4/main/pg_hba.conf configured to
  allow the 'openerp' user access to only the 'openerpdb' database.

   #/etc/postgresql/8.4/main/pg_hba.conf
   host openerpdb openerp 192.168.94.21/32 md5

  The openerp-server.log file showed ..

  [2011-09-15 13:58:04,013][postgres] ERROR:db.connection_pool:Connection to the database failed
  Traceback (most recent call last):
    File "/usr/share/pyshared/openerp-server/sql_db.py", line 303, in borrow
      result = psycopg2.connect(dsn=dsn, connection_factory=PsycoConnection)
  OperationalError: FATAL:  no pg_hba.conf entry for host "192.168.94.21", user "openerp", database "template1", SSL on
  FATAL:  no pg_hba.conf entry for host "192.168.94.21", user "openerp", database "template1", SSL off

  It seems that as part of connecting to the database the applications
  connect to a database before enumerating the databases owned by the
  'openerp' postgres user.

  The immediate fix is to adjust the
  /etc/postgresql/8.4/main/pg_hba.conf to allow access to template1

   #/etc/postgresql/8.4/main/pg_hba.conf 
   host openerpdb openerp 192.168.94.21/32 md5
   host template1 openerp 192.168.94.21/32 md5

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/853612/+subscriptions

References

[Bug 853612] [NEW] OpenERP client fails to connect with a restricted pg_hba.conf
From: Ian Beardslee, 2011-09-19