| From: | samay sharma <smilingsamay(at)gmail(dot)com> |
|---|---|
| To: | Jacob Champion <pchampion(at)vmware(dot)com>, Aleksander Alekseev <aleksander(at)timescale(dot)com>, andrew(at)dunslane(dot)net, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de> |
| Cc: | "peter(dot)eisentraut(at)enterprisedb(dot)com" <peter(dot)eisentraut(at)enterprisedb(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Proposal: Support custom authentication methods using hooks |
| Date: | 2022-03-15 19:27:29 |
| Message-ID: | CAJxrbyxgFzfqby+VRCkeAhJnwVZE50+ZLPx0JT2TDg9LbZtkCg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On Fri, Mar 4, 2022 at 11:15 AM Jacob Champion <pchampion(at)vmware(dot)com> wrote:
> On Thu, 2022-03-03 at 11:12 +0100, Peter Eisentraut wrote:
> > At the moment, it is not possible to judge whether the hook interface
> > you have chosen is appropriate.
> >
> > I suggest you actually implement the Azure provider, then make the hook
> > interface, and then show us both and we can see what to do with it.
>
> To add a data point here, I've rebased my OAUTHBEARER experiment [1] on
> top of this patchset. (That should work with Azure's OIDC provider, and
> if it doesn't, I'd like to know why.)
>
Firstly, thanks for doing this. It helps to have another data point and the
feedback you provided is very valuable. I've looked to address it with the
patchset attached to this email.
This patch-set adds the following:
* Allow multiple custom auth providers to be registered (Addressing
feedback from Aleksander and Andrew)
* Modify the test extension to use SCRAM to exchange secrets (Based on
Andres's suggestion)
* Add support for custom auth options to configure provider's behavior (by
exposing a new hook) (Required by OAUTHBEARER)
* Allow custom auth methods to use usermaps. (Required by OAUTHBEARER)
> After the port, here are the changes I still needed to carry in the
> backend to get the tests passing:
>
> - I needed to add custom HBA options to configure the provider.
>
Could you try to rebase your patch to use the options hook and let me know
if it satisfies your requirements?
Please let me know if there's any other feedback.
Regards,
Samay
> - I needed to declare usermap support so that my provider could
> actually use check_usermap().
- I had to modify the SASL mechanism registration to allow a custom
> maximum message length, but I think that's not the job of Samay's
> proposal to fix; it's just a needed improvement to CheckSASLAuth().
>
> Obviously, the libpq frontend still needs to understand how to speak
> the new SASL mechanism. There are third-party SASL implementations that
> are plugin-based, which could potentially ease the pain here, at the
> expense of a major dependency and a very new distribution model.
>
> --Jacob
>
> [1]
> https://www.postgresql.org/message-id/flat/d1b467a78e0e36ed85a09adf979d04cf124a9d4b.camel%40vmware.com
>
| Attachment | Content-Type | Size |
|---|---|---|
| v3-0001-Add-support-for-custom-authentication-methods.patch | application/octet-stream | 11.6 KB |
| v3-0004-Add-support-for-map-and-custom-auth-options.patch | application/octet-stream | 11.7 KB |
| v3-0002-Add-sample-extension-to-test-custom-auth-provider.patch | application/octet-stream | 4.4 KB |
| v3-0003-Add-tests-for-test_auth_provider-extension.patch | application/octet-stream | 6.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Dilger | 2022-03-15 19:30:52 | Re: pg14 psql broke \d datname.nspname.relname |
| Previous Message | Robert Haas | 2022-03-15 19:27:05 | Re: pg14 psql broke \d datname.nspname.relname |