From 62f2645f35708d25758409cee99deb23dd8dbde4 Mon Sep 17 00:00:00 2001
From: Arslan Ahmad <arahmad@redhat.com>
Date: Thu, 21 May 2026 20:05:38 +0530
Subject: [PATCH] - pgsqlms: use monitor_user and monitor_password for monitor
 operations

  Resolves: RHEL-150841
---
 ...en-monitor_password-is-not-specified.patch | 135 ++++++++++++++++++
 resource-agents.spec                          |  10 +-
 2 files changed, 144 insertions(+), 1 deletion(-)
 create mode 100644 RHEL-150841-pgsqlms-use-monitor_user-for-monitor-calls-and-use-pgpass-when-monitor_password-is-not-specified.patch

diff --git a/RHEL-150841-pgsqlms-use-monitor_user-for-monitor-calls-and-use-pgpass-when-monitor_password-is-not-specified.patch b/RHEL-150841-pgsqlms-use-monitor_user-for-monitor-calls-and-use-pgpass-when-monitor_password-is-not-specified.patch
new file mode 100644
index 0000000..094c6d5
--- /dev/null
+++ b/RHEL-150841-pgsqlms-use-monitor_user-for-monitor-calls-and-use-pgpass-when-monitor_password-is-not-specified.patch
@@ -0,0 +1,135 @@
+From 4890009e6837df6f2cdfcf25d766e146fb8d1cfd Mon Sep 17 00:00:00 2001
+From: Arslan Ahmad <arslan.ahmad97@googlemail.com>
+Date: Thu, 14 May 2026 18:37:05 +0530
+Subject: [PATCH] pgsqlms: Use monitor_user and monitor_password for monitor
+ operations
+
+Utilize monitor_user for monitoring calls; fallback to .pgpass
+when no monitor_password is provided.
+
+Signed-off-by: Arslan Ahmad <arslan.ahmad97@googlemail.com>
+---
+ script/pgsqlms | 54 +++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 49 insertions(+), 5 deletions(-)
+
+diff --git a/script/pgsqlms b/script/pgsqlms
+index 5ddd67a..0779cc1 100755
+--- a/heartbeat/pgsqlms
++++ b/heartbeat/pgsqlms
+@@ -46,6 +46,8 @@ my %OCF_NOTIFY_ENV        = ocf_notify_env() if $__OCF_ACTION eq 'notify';
+ 
+ # Default parameters values
+ my $system_user_default = "postgres";
++my $monitor_user_default = "";
++my $monitor_password_default = "";
+ my $bindir_default      = "/usr/bin";
+ my $pgdata_default      = "/var/lib/pgsql/data";
+ my $pghost_default      = "/tmp";
+@@ -55,6 +57,8 @@ my $maxlag_default      = "0";
+ 
+ # Set default values if not found in environment
+ my $system_user  = $ENV{'OCF_RESKEY_system_user'} || $system_user_default;
++my $monitor_user  = $ENV{'OCF_RESKEY_monitor_user'} || $monitor_user_default;
++my $monitor_password  = $ENV{'OCF_RESKEY_monitor_password'} || $monitor_password_default;
+ my $bindir       = $ENV{'OCF_RESKEY_bindir'} || $bindir_default;
+ my $pgdata       = $ENV{'OCF_RESKEY_pgdata'} || $pgdata_default;
+ my $datadir      = $ENV{'OCF_RESKEY_datadir'} || $pgdata;
+@@ -95,6 +99,7 @@ my $PGVER_12 = 120000;
+ # the result as second one.
+ #
+ sub _query {
++    my $user         = shift if @_ == 3;
+     my $query        = shift;
+     my $res          = shift;
+     my $connstr      = "dbname=postgres";
+@@ -107,6 +112,7 @@ sub _query {
+     my $ans;
+     my $pid;
+     my $rc;
++    my @psql_args;
+ 
+     unless ( defined $res and defined $query and $query ne '' ) {
+         ocf_log( 'debug', '_query: wrong parameters!' );
+@@ -135,9 +141,19 @@ sub _query {
+     $pid = open(my $KID, "-|");
+ 
+     if ( $pid == 0 ) { # child
+-        exec $PGPSQL, '--set', 'ON_ERROR_STOP=1', '-qXAtf', $tmpfile,
+-            '-R', $RS, '-F', $FS, '--port', $pgport, '--host', $pghost,
+-            $connstr;
++        # Build psql arguments
++        @psql_args = ('--set', 'ON_ERROR_STOP=1', '-qXAtf', $tmpfile,
++            '-R', $RS, '-F', $FS, '--port', $pgport, '--host', $pghost);
++
++        # Add username and password for non-system user
++        if ( $user ) {
++            push @psql_args, '-U', $user;
++            $ENV{'PGPASSWORD'} = $monitor_password if $monitor_password ne '';
++        }
++
++        push @psql_args, $connstr;
++
++        exec $PGPSQL, @psql_args;
+     }
+ 
+     # parent
+@@ -259,7 +275,7 @@ sub _get_lag_scores {
+       ORDER BY priority DESC
+     };
+ 
+-    $rc = _query( $query, \@rs );
++    $rc = _query( $monitor_user, $query, \@rs );
+ 
+     if ( $rc != 0 ) {
+         ocf_exit_reason( 'Query to get standby locations failed (%d)', $rc );
+@@ -898,7 +914,7 @@ sub _confirm_role {
+     my $rc;
+     my @rs;
+ 
+-    $rc = _query( "SELECT pg_is_in_recovery()", \@rs );
++    $rc = _query( $monitor_user, "SELECT pg_is_in_recovery()", \@rs );
+ 
+     $is_in_recovery = $rs[0][0];
+ 
+@@ -1051,6 +1067,18 @@ The system owner of your instance's process
+ 
+ (optional, string, default "postgres")
+ 
++=item B<monitor_user>
++
++PostgreSQL user for monitor operations
++
++(optional, string, default "")
++
++=item B<monitor_password>
++
++PostgreSQL password for monitor user
++
++(optional, string, default "")
++
+ =item B<recovery_template>
+ 
+ B<ONLY> for PostgreSQL 11 and bellow.
+@@ -1118,6 +1146,22 @@ sub ocf_meta_data {
+               <content type="string" default="$system_user_default" />
+             </parameter>
+ 
++            <parameter name="monitor_user" unique="0" required="0">
++              <longdesc lang="en">
++                PostgreSQL user that pgsql RA will use for monitor operations
++              </longdesc>
++              <shortdesc lang="en">PostgreSQL monitor User</shortdesc>
++              <content type="string" default="$monitor_user_default" />
++            </parameter>
++
++            <parameter name="monitor_password" unique="0" required="0">
++              <longdesc lang="en">
++                PostgreSQL password for monitor user
++              </longdesc>
++              <shortdesc lang="en">PostgreSQL monitor Password</shortdesc>
++              <content type="string" default="$monitor_password_default" />
++            </parameter>
++
+             <parameter name="bindir" unique="0" required="0">
+               <longdesc lang="en">
+                 Path to the directory storing the PostgreSQL binaries. The agent
diff --git a/resource-agents.spec b/resource-agents.spec
index e782382..03183e7 100644
--- a/resource-agents.spec
+++ b/resource-agents.spec
@@ -45,7 +45,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.16.0
-Release:	61%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
+Release:	62%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License:	GPL-2.0-or-later AND LGPL-2.1-or-later
 URL:		https://github.com/ClusterLabs/resource-agents
 Source0:	%{upstream_prefix}-%{upstream_version}.tar.gz
@@ -131,6 +131,7 @@ Patch78:	RHEL-150849-pgsql-use-monitor_user-for-monitor-calls-and-use-pgpass-whe
 Patch79:	RHEL-176357-podman-etcd-fix-port-2380-binding-race.patch
 Patch80:	RHEL-177543-podman-etcd-fix-machine-deletion-deadlock.patch
 Patch81:	RHEL-177544-podman-etcd-fix-learner-start-deadlock.patch
+Patch82:	RHEL-150841-pgsqlms-use-monitor_user-for-monitor-calls-and-use-pgpass-when-monitor_password-is-not-specified.patch
 
 # bundled ha-cloud-support libs
 Patch500:	ha-cloud-support-aliyun.patch
@@ -383,6 +384,7 @@ exit 1
 %patch -p1 -P 79
 %patch -p1 -P 80
 %patch -p1 -P 81
+%patch -p1 -P 82
 
 # bundled ha-cloud-support libs
 %patch -p1 -P 500
@@ -715,6 +717,12 @@ rm -rf %{buildroot}/usr/share/doc/resource-agents
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
+* Thu May 21 2026 Arslan Ahmad <arahmad@redhat.com> - 4.16.0-62
+- pgsqlms: use monitor_user for monitor-calls and use .pgpass when
+  monitor_password is not specified
+
+  Resolves: RHEL-150841
+
 * Wed May 20 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.16.0-61
 - podman-etcd: fix port 2380 binding race
 - podman-etcd: fix machine deletion deadlock