backends/sqla: allow pgsql conns via unix sockets

[dev-zero]

SQLA/psycopg2 allows connection via unix sockets instead of TCP/IP.
This allows for secure password-less authentication via PostgreSQL's
socket peer authentication, which is the default on many distros.

Example pg_hba.conf:

local   all             all                                     peer

would allow a user test access to the PostgreSQL cluster if a user
test exists in PostgreSQL without any password (implicitly assuming
that it is sufficient that the user was already authenticated by the
OS).
Using pg_ident.conf one can also map local users to PostgreSQL users
with a different name:

Example pg_hba.conf:

local   aiida           aiida                                   peer map=aiida

Example pg_ident.conf:

aiida           test                 aiida

Would allow the user aiida access to the database aiida and the map
allows the system user test to impersonate the database user aiida.

psycopg2 automatically tries the local socket connection if no port is
specified, but for that must the connection string not contain the
colon char otherwise required for the host:port separation.

[codecov-io]

Codecov Report

Merging #1721 into develop will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #1721   +/-   ##
========================================
  Coverage    57.16%   57.16%           
========================================
  Files          275      275           
  Lines        33912    33912           
========================================
  Hits         19386    19386           
  Misses       14526    14526

Impacted Files	Coverage Δ
aiida/backends/sqlalchemy/utils.py	82.5% <ø> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2132342...d16008e. Read the comment docs.

[DropD]

@szoupanos Have you checked this out?

[szoupanos]

Thanks a lot!

A few questions/comments:
a) What is the benefit of using this? Simplicity or also speed? From a small search on the internet I see that there are not guaranteed speed benefits from the use of unix sockets vs tcp sockets
b) I would be against creating a new non-universal procedure of installing AiiDA if this implies that the user has to change the configuration files of postgresql (something that he is not obliged to do today, if I am not mistaken).
c) Your approach will work correctly with the default PostgreSQL configuration
local all all peer
if there is a postgresql user with the same name as the local *nix user and it also has the right to create databases etc. Right? Is it possible that the user may not have the right to create databases etc?

So, if there are no speed benefits, and what I write at (c) is correct (and the default behaviour & the *nix user can create databases) in many systems, it makes sense to do this change. Otherwise, it seems to me that it increases the installation complexity without any big benefits.

Do I miss something?

[dev-zero]

@szoupanos

a) there is no speed gain, only advantages in simplicity and security: postgresql doesn't have to listen on a tcp port which could accidentally be exposed and one does not have to manage yet another (usually weak) password (which could be used by another user on the same system to gain access to the database)
b) the default installation procedure can be left unchanged and continues to work. Actually, the only thing the patch here changes is that if the port is left empty in verdi setup, it will pass along a correct connection string to SQLA/psycopg2, while currently an exception is being thrown.
c) correct. When setting up a PostgreSQL user, the admin can decide whether that user has the right to create databases. On my machine, the following was sufficient to create a usable database for AiiDA:

sudo su - postgres
createuser tiziano
createdb -O tiziano aiida_tiziano

[giovannipizzi]

I don't see any disadvantage with this patch! I'm approving it.
@dev-zero maybe you can move the content of the PR to an "advanced" section in the docs, explaining how to setup AiiDA with this approach? (and if needed simplifying the current docs)