| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Overhaul pg_hba.conf clientcert's API |
| Date: | 2020-10-05 19:48:53 |
| Message-ID: | E1kPWTd-0003C8-I6@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Overhaul pg_hba.conf clientcert's API
Since PG 12, clientcert no longer supported only on/off, so remove 1/0
as possible values, and instead support only the text strings
'verify-ca' and 'verify-full'.
Remove support for 'no-verify' since that is possible by just not
specifying clientcert.
Also, throw an error if 'verify-ca' is used and 'cert' authentication is
used, since cert authentication requires verify-full.
Also improve the docs.
THIS IS A BACKWARD INCOMPATIBLE API CHANGE.
Reported-by: Kyotaro Horiguchi
Discussion: https://postgr.es/m/20200716.093012.1627751694396009053.horikyota.ntt@gmail.com
Author: Kyotaro Horiguchi
Backpatch-through: master
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/253f1025da8c8d6e52f96f764658b76eb59290ad
Modified Files
--------------
doc/src/sgml/client-auth.sgml | 11 ++++-------
doc/src/sgml/runtime.sgml | 5 ++---
src/backend/libpq/hba.c | 18 +++++++-----------
3 files changed, 13 insertions(+), 21 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2020-10-05 20:07:29 | pgsql: docs: clarify the interaction of clientcert and cert auth. |
| Previous Message | Tom Lane | 2020-10-05 17:40:35 | pgsql: Include the process PID in assertion-failure messages. |