From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Peifeng Qiu <peifengq(at)vmware(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Support kerberos authentication for postgres_fdw |
Date: | 2021-07-12 09:34:32 |
Message-ID: | CABUevEwAfdF9sfJwfi1fZ+rGOXqKrdscSw-BaZL+Ci3O5Zx7Gw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Jul 12, 2021 at 5:43 AM Peifeng Qiu <peifengq(at)vmware(dot)com> wrote:
>
> >As you note, this'd have to be restricted to superusers, which makes it
> >seem like a pretty bad idea. We really don't want to be in a situation
> >of pushing people to run day-to-day stuff as superuser. Yeah, having
> >access to kerberos auth sounds good on the surface, but it seems like
> >it would be a net loss in security because of that.
>
> I can imagine the use case would be a superuser creates the user
> mapping and foreign table, then grants access of foreign table to
> a normal user. This way the normal user can execute queries on the
> foreign table but can't access sensitive information in user mapping.
>
> The main purpose of this patch is to provide a simple way to do
> kerberos authentication with the least modification possible.
But in this case, what dose Kerberos give over just using a password
based solution? It adds complexity, but what's teh actual gain?
> >ISTM the right way to do this would be using Kerberos delegation. That
> >is, the system would be set up so that the postgres service principal
> >is trusted for kerberos delegation and it would then pass through the
> >actual Kerberos authentication from the client.
>
> I agree this sounds like the ideal solution. If I understand it correctly,
> this approach requires both postgres servers to use same kerberos
> settings(kdc, realm, etc), and the FDW server can just "forward"
> necessary information to authenticate on behalf of the same user.
> I will spend some time to investigate it and reach out later.
I don't actually know if they have to be in the same realm, I *think*
kerberos delegations work across trusted realms, but I'm not sure
about that.
--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Amit Kapila | 2021-07-12 09:35:10 | Re: row filtering for logical replication |
Previous Message | vignesh C | 2021-07-12 09:34:18 | Re: Added schema level support for publication. |