From: | Justin Pryzby <pryzby(at)telsasoft(dot)com> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | pgsql-hackers(at)postgresql(dot)org, Andrew Dunstan <andrew(at)dunslane(dot)net> |
Subject: | Re: PG 14 release notes, first draft |
Date: | 2021-05-12 15:06:05 |
Message-ID: | 20210512150605.GR27406@telsasoft.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, May 11, 2021 at 10:45:04PM -0400, Bruce Momjian wrote:
> On Tue, May 11, 2021 at 05:13:21PM -0500, Justin Pryzby wrote:
> > On Tue, May 11, 2021 at 10:35:23AM -0400, Bruce Momjian wrote:
> > > > | Allow more than the common name (CN) to be matched for client certificate authentication (Andrew Dunstan)
> > > > Your description makes it sound like arbitrary attributes can be compared. But
> > > > the option just allows comparing CN or DN.
> > >
> > > OK, new text is:
> > >
> > > <para>
> > > Allow the certificate's distinguished name (DN) to be matched for client
> > > certificate authentication (Andrew Dunstan)
> > > </para>
> > >
> > > <para>
> > > The new pg_hba.conf keyword "clientname=DN" allows comparison with
> > > non-CN certificate attributes and can be combined with ident maps.
> > > </para>
> > > </listitem>
> >
> > I think this part is still misleading. The option just allows DN/CN, so it's
> > strange to say "non-CN attributes".
>
> OK, so this is where I am confused. I searched for distinguished name
> (DN) and came up with DN being a concatentation of all the fields
> provided to the certificate signing request (CSR). Is that right?
> Wouldn't people test _parts_ of the DN, rather than all of it.
+Andrew
The full DN is probably not the postgres username, so the docs suggest that:
| This option is probably best used in conjunction with a username map.
You're right that clientname=DN allows testing *parts*, of the DN, but I don't
know if there's any reason to believe that's the typical use case.
The primary utility of clientname=DN seems to be that the CN alone is (or can
be) ambiguous - matching on the full DN is intended to resolve that. I think
the release notes should focus on this.
Matching parts of the DN (other than the CN) seems like a 2ndary use.
Maybe a variation on your original words is better.
| Allow the distinguished name (DN) to be matched for client certificate authentication (Andrew Dunstan)
| Previously, matching was done only the common name (DN).
| With a username map, the DN can be matched in full or in part.
> The test in the patch seems to do that:
>
> + "# MAPNAME SYSTEM-USERNAME PG-USERNAME\n",
> + "dn \"CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG\" ssltestuser\n",
> + "dnre \"/^.*OU=Testing,.*\$\" ssltestuser\n",
> + "cn ssltestuser-dn ssltestuser\n";
>
> I think someone need to explain to me exactly what the DN is and how it
> is used. Sorry.
--
Justin
From | Date | Subject | |
---|---|---|---|
Next Message | Nitin Jadhav | 2021-05-12 15:18:12 | Re: Query regarding RANGE Partitioning |
Previous Message | Dilip Kumar | 2021-05-12 14:45:06 | Re: OOM in spgist insert |