| From: | Ron <ronljohnsonjr(at)gmail(dot)com> |
|---|---|
| To: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Using pgadmin as an OAuth2 proxy for PostgreSQL |
| Date: | 2022-12-19 14:49:51 |
| Message-ID: | 63e54f32-14cb-6f77-02b2-d42f094b45c9@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Why not authenticate Postgresql users directly to AD using GSSAPI?
On 12/19/22 07:12, Rettstadt, Tobias wrote:
>
> Hi all,
>
> our current project has the requirement that users should get read access
> to our backend databases. The users are stored in Azure AD and my first
> idea was to use OAuth2 / OIDC to authenticate the users. Since pgadmin
> provides OAuth2 authentication, is it possible to somehow map roles in the
> access token that we get from Azure AD to a Postgres user in pgadmin, so
> that the users can just log into using their Azure AD account and then get
> access to a number of databases that I have configured?
>
> I already tried the OAuth2 login in pgadmin and it’s working fine, but I
> haven’t figured out how to deploy the database credentials. I know that I
> could use a password file, but it has to be located in the storage
> directory of the user, where he could download it using the storage
> manager. Since users should not be able to access the password, we cannot
> use this. It would also be feasible if the owner of the password would
> have to enter the password on the machine of each of the users, but even
> if I select “Save password”, the password is not saved, even though master
> passwords and password saving are activated in the config.
>
> We are running the latest Docker image dpage/pgadmin4 in a Kubernetes
> cluster. The pgadmin version is 6.17.
>
> Thanks in advance for your help and best regards,
>
> Tobias
>
> **************************************************************** Die in
> dieser E-Mail enthaltenen Informationen sind vertraulich. Diese E-Mail ist
> ausschliesslich fuer den Adressaten bestimmt und jeglicher Zugriff durch
> andere Personen ist nicht zulaessig. Falls Sie nicht einer der genannten
> Empfaenger sind, ist jede Veroeffentlichung, Vervielfaeltigung, Verteilung
> oder sonstige in diesem Zusammenhang stehende Handlung untersagt und unter
> Umstaenden ungesetzlich. Sollte diese Nachricht nicht fuer Sie bestimmt
> sein, so bitten wir Sie, den Absender unverzueglich zu informieren und die
> E-Mail zu loeschen.
> **************************************************************** The
> information contained in this e-mail is confidential. This e-mail is
> intended solely for the addressee(s) and may not be accessed by anyone
> else. If you are not a named recipient, any disclosure, copying,
> distribution or related action is prohibited and might be unlawful. If the
> e-mail is not intended for you, please notify the sender immediately and
> delete it. ****************************************************************
--
Angular momentum makes the world go 'round.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Samed YILDIRIM | 2022-12-19 15:17:29 | Re: Using pgadmin as an OAuth2 proxy for PostgreSQL |
| Previous Message | Rettstadt, Tobias | 2022-12-19 13:12:41 | Using pgadmin as an OAuth2 proxy for PostgreSQL |