Skip to content

fix(pg-db): use scram-sha-256 auth instead of md5 for PostgreSQL #744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nogueiraanderson wants to merge 1 commit into
base: PMM-14324-pmm-ha-monitoring
Choose a base branch
from
Open

fix(pg-db): use scram-sha-256 auth instead of md5 for PostgreSQL #744

nogueiraanderson wants to merge 1 commit into from

Conversation

@nogueiraanderson
Copy link

@nogueiraanderson nogueiraanderson commented Dec 19, 2025

Summary

  • PostgreSQL 14+ defaults to password_encryption=scram-sha-256
  • pg_hba rules specified md5 authentication
  • MD5 auth cannot verify SCRAM-SHA-256 stored passwords
  • Changed pg_hba rules from md5 to scram-sha-256

Root Cause

Authentication failures for pmmuser and gfuser:

pq: password authentication failed for user "pmmuser"

The passwords matched in both secrets (pmm-secret and pmmuser-credentials), but authentication still failed because:

  • PostgreSQL stored passwords as SCRAM-SHA-256
  • pg_hba.conf specified md5 authentication method

Testing

Verified fix on live ROSA HCP cluster - PMM pods became Ready after patching Patroni config.

@nogueiraanderson nogueiraanderson requested a review from a team as a code owner December 19, 2025 13:14
@nogueiraanderson nogueiraanderson requested review from JiriCtvrtka and maxkondr and removed request for a team December 19, 2025 13:14
@it-percona-cla
Copy link

it-percona-cla commented Dec 19, 2025

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@nogueiraanderson
fix(pg-db): use scram-sha-256 auth instead of md5 for PostgreSQL
ec136fa 
PostgreSQL 14+ defaults to password_encryption=scram-sha-256, but pg_hba
rules specified md5 authentication. MD5 authentication cannot verify
SCRAM-SHA-256 stored passwords, causing authentication failures for
pmmuser and gfuser connections.

Change pg_hba rules from md5 to scram-sha-256 to match the server's
default password encryption method.
@nogueiraanderson nogueiraanderson force-pushed the PMM-14324-pmm-ha-monitoring branch from 653e0cd to ec136fa Compare December 19, 2025 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxkondr maxkondr Awaiting requested review from maxkondr maxkondr is a code owner automatically assigned from percona/pmm-review-be

@JiriCtvrtka JiriCtvrtka Awaiting requested review from JiriCtvrtka JiriCtvrtka is a code owner automatically assigned from percona/pmm-review-be

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nogueiraanderson @it-percona-cla