From aebab6b7774277f790c62fdb4eb77aa26f970e1a Mon Sep 17 00:00:00 2001
From: Arslan Ahmad <arahmad@redhat.com>
Date: Mon, 25 May 2026 15:11:06 +0530
Subject: [PATCH] - pgsqlms: use monitor_user and monitor_password for monitor
 operations

  Resolves: RHEL-150842
---
 ...en-monitor_password-is-not-specified.patch | 119 ++++++++++++++++++
 resource-agents.spec                          |  10 +-
 2 files changed, 128 insertions(+), 1 deletion(-)
 create mode 100644 RHEL-150842-pgsqlms-use-monitor_user-for-monitor-calls-and-use-pgpass-when-monitor_password-is-not-specified.patch

diff --git a/RHEL-150842-pgsqlms-use-monitor_user-for-monitor-calls-and-use-pgpass-when-monitor_password-is-not-specified.patch b/RHEL-150842-pgsqlms-use-monitor_user-for-monitor-calls-and-use-pgpass-when-monitor_password-is-not-specified.patch
new file mode 100644
index 0000000..d13230c
--- /dev/null
+++ b/RHEL-150842-pgsqlms-use-monitor_user-for-monitor-calls-and-use-pgpass-when-monitor_password-is-not-specified.patch
@@ -0,0 +1,119 @@
+--- a/heartbeat/pgsqlms
++++ b/heartbeat/pgsqlms
+@@ -48,6 +48,8 @@
+ 
+ # Default parameters values
+ my $system_user_default = "postgres";
++my $monitor_user_default = "";
++my $monitor_password_default = "";
+ my $bindir_default      = "/usr/bin";
+ my $pgdata_default      = "/var/lib/pgsql/data";
+ my $pghost_default      = "/tmp";
+@@ -57,6 +59,8 @@
+ 
+ # Set default values if not found in environment
+ my $system_user  = $ENV{'OCF_RESKEY_system_user'} || $system_user_default;
++my $monitor_user  = $ENV{'OCF_RESKEY_monitor_user'} || $monitor_user_default;
++my $monitor_password  = $ENV{'OCF_RESKEY_monitor_password'} || $monitor_password_default;
+ my $bindir       = $ENV{'OCF_RESKEY_bindir'} || $bindir_default;
+ my $pgdata       = $ENV{'OCF_RESKEY_pgdata'} || $pgdata_default;
+ my $datadir      = $ENV{'OCF_RESKEY_datadir'} || $pgdata;
+@@ -98,6 +102,7 @@
+ # the result as second one.
+ #
+ sub _query {
++    my $user         = shift if @_ == 3;
+     my $query        = shift;
+     my $res          = shift;
+     my $connstr      = "dbname=postgres";
+@@ -110,6 +115,7 @@
+     my $ans;
+     my $pid;
+     my $rc;
++    my @psql_args;
+ 
+     unless ( defined $res and defined $query and $query ne '' ) {
+         ocf_log( 'debug', '_query: wrong parameters!' );
+@@ -138,9 +144,19 @@
+     $pid = open(my $KID, "-|");
+ 
+     if ( $pid == 0 ) { # child
+-        exec $PGPSQL, '--set', 'ON_ERROR_STOP=1', '-qXAtf', $tmpfile,
+-            '-R', $RS, '-F', $FS, '--port', $pgport, '--host', $pghost,
+-            $connstr;
++        # Build psql arguments
++        @psql_args = ('--set', 'ON_ERROR_STOP=1', '-qXAtf', $tmpfile,
++            '-R', $RS, '-F', $FS, '--port', $pgport, '--host', $pghost);
++
++        # Add username and password for non-system user
++        if ( $user ) {
++            push @psql_args, '-U', $user;
++            $ENV{'PGPASSWORD'} = $monitor_password if $monitor_password ne '';
++        }
++
++        push @psql_args, $connstr;
++
++        exec $PGPSQL, @psql_args;
+     }
+ 
+     # parent
+@@ -259,7 +275,7 @@
+       ORDER BY priority DESC
+     };
+ 
+-    $rc = _query( $query, \@rs );
++    $rc = _query( $monitor_user, $query, \@rs );
+ 
+     if ( $rc != 0 ) {
+         ocf_exit_reason( 'Query to get standby locations failed (%d)', $rc );
+@@ -898,7 +914,7 @@
+     my $rc;
+     my @rs;
+ 
+-    $rc = _query( "SELECT pg_is_in_recovery()", \@rs );
++    $rc = _query( $monitor_user, "SELECT pg_is_in_recovery()", \@rs );
+ 
+     $is_in_recovery = $rs[0][0];
+ 
+@@ -1050,6 +1066,18 @@
+ 
+ (optional, string, default "postgres")
+ 
++=item B<monitor_user>
++
++PostgreSQL user for monitor operations
++
++(optional, string, default "")
++
++=item B<monitor_password>
++
++PostgreSQL password for monitor user
++
++(optional, string, default "")
++
+ =item B<recovery_template>
+ 
+ B<ONLY> for PostgreSQL 11 and bellow.
+@@ -1114,6 +1142,22 @@
+               <content type="string" default="$system_user_default" />
+             </parameter>
+ 
++            <parameter name="monitor_user" unique="0" required="0">
++              <longdesc lang="en">
++                PostgreSQL user that pgsql RA will use for monitor operations
++              </longdesc>
++              <shortdesc lang="en">PostgreSQL monitor User</shortdesc>
++              <content type="string" default="$monitor_user_default" />
++            </parameter>
++
++            <parameter name="monitor_password" unique="0" required="0">
++              <longdesc lang="en">
++                PostgreSQL password for monitor user
++              </longdesc>
++              <shortdesc lang="en">PostgreSQL monitor Password</shortdesc>
++              <content type="string" default="$monitor_password_default" />
++            </parameter>
++
+             <parameter name="bindir" unique="0" required="0">
+               <longdesc lang="en">
+                 Path to the directory storing the PostgreSQL binaries. The agent uses psql, pg_isready, pg_controldata and pg_ctl.
diff --git a/resource-agents.spec b/resource-agents.spec
index 6eebfb1..e011dc3 100644
--- a/resource-agents.spec
+++ b/resource-agents.spec
@@ -45,7 +45,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.10.0
-Release:	117%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
+Release:	118%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 Source0:	%{upstream_prefix}-%{upstream_version}.tar.gz
@@ -212,6 +212,7 @@ Patch159:	RHEL-150850-pgsql-use-monitor_user-for-monitor-calls-and-use-pgpass-wh
 Patch160:	RHEL-177850-podman-etcd-fix-port-2380-binding-race.patch
 Patch161:	RHEL-177840-podman-etcd-fix-machine-deletion-deadlock.patch
 Patch162:	RHEL-177845-podman-etcd-fix-learner-start-deadlock.patch
+Patch163:	RHEL-150842-pgsqlms-use-monitor_user-for-monitor-calls-and-use-pgpass-when-monitor_password-is-not-specified.patch
 
 # bundled ha-cloud-support libs
 Patch500:	ha-cloud-support-aliyun.patch
@@ -519,6 +520,7 @@ exit 1
 %patch -p1 -P 160
 %patch -p1 -P 161
 %patch -p1 -P 162
+%patch -p1 -P 163
 
 # bundled ha-cloud-support libs
 %patch -p1 -P 500
@@ -853,6 +855,12 @@ rm -rf %{buildroot}/usr/share/doc/resource-agents
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
+* Mon May 25 2026 Arslan Ahmad <arahmad@redhat.com> - 4.10.0-118
+- pgsqlms: use monitor_user for monitor-calls and use .pgpass when
+  monitor_password is not specified
+
+  Resolves: RHEL-150842
+
 * Wed May 20 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-117
 - podman-etcd: fix port 2380 binding race
 - podman-etcd: fix machine deletion deadlock