<div dir="ltr">Hi<div><br></div><div>I kept that piece of code for comparing the startup timing. we can safely remove it.</div><div>Sorry for the noice.</div><div><br></div><div>Thanks</div><div>Best regards</div><div>Muhammad Usama</div><div><br></div><div><br><div class="gmail_quote"><div dir="ltr">On Fri, Aug 17, 2018 at 11:49 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp">ishii@sraoss.co.jp</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Usama,<br>
<br>
To run pgindent (the code causes error on pgindent), I ifdef out it for now.<br>
<br>
Best regards,<br>
--<br>
Tatsuo Ishii<br>
SRA OSS, Inc. Japan<br>
English: <a href="http://www.sraoss.co.jp/index_en.php" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
<br>
From: Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp" target="_blank">ishii@sraoss.co.jp</a>><br>
Subject: [pgpool-committers: 5052] Re: pgpool: Feature: Add SCRAM and Certificate authentication support<br>
Date: Fri, 17 Aug 2018 09:38:08 +0900 (JST)<br>
Message-ID: <<a href="mailto:20180817.093808.2104436097708702867.t-ishii@sraoss.co.jp" target="_blank">20180817.093808.2104436097708702867.t-ishii@sraoss.co.jp</a>><br>
<br>
> Usama,<br>
> <br>
> In this commit I see below in main/main.c:<br>
> <br>
> //#ifdef USE_SSL<br>
> // /* global ssl init */<br>
> //#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined (LIBRESSL_VERSION_NUMBER))<br>
> // OPENSSL_init_ssl(0, NULL);<br>
> //#else<br>
> // SSL_library_init();<br>
> //#endif<br>
> // SSL_load_error_strings();<br>
> //#endif /* USE_SSL */<br>
> <br>
> Can we remove the code safely or are you still working on this part?<br>
> <br>
> Best regards,<br>
> --<br>
> Tatsuo Ishii<br>
> SRA OSS, Inc. Japan<br>
> English: <a href="http://www.sraoss.co.jp/index_en.php" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
> Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
> <br>
> From: Muhammad Usama <<a href="mailto:m.usama@gmail.com" target="_blank">m.usama@gmail.com</a>><br>
> Subject: [pgpool-committers: 5051] pgpool: Feature: Add SCRAM and Certificate authentication support<br>
> Date: Thu, 16 Aug 2018 16:45:03 +0000<br>
> Message-ID: <<a href="mailto:E1fqLOR-0002Yf-AY@gothos.postgresql.org" target="_blank">E1fqLOR-0002Yf-AY@gothos.postgresql.org</a>><br>
> <br>
>> Feature: Add SCRAM and Certificate authentication support<br>
>> <br>
>> New feature to add scram and cert authentication method support in Pgpool-II.<br>
>> Apart from supporting the new authentication methods the commit also includes<br>
>> the following enhancements and changes in the authentication framework<br>
>> of Pgpool-II<br>
>> <br>
>> Different auth methods for frontend and backend for user session<br>
>> ================================================================<br>
>> Now it possible to use different authentication method for client<br>
>> application and backend PostgreSQL servers.<br>
>> For example, a client application can use scram-sha-256 to connect to Pgpool-II<br>
>> which in turn can use trust or md5 authentication to connect to<br>
>> PostgreSQL backend for the same session.<br>
>> <br>
>> Use MD5 and SCRAM without pool_passwd<br>
>> =====================================<br>
>> New configuration parameter allow_clear_text_frontend_auth, enables the Pgpool-II<br>
>> to use clear-text-password authentication with frontend clients when pool_passwd<br>
>> file does not contains the password for the connecting user.<br>
>> For example: suppose PostgreSQL servers has a user named "some_user" which can<br>
>> connect to database using SCRAM authentication, Now for this "some_user" to<br>
>> connect to PostgreSQL using SCRAM through Pgpool-II we must have the some_user's<br>
>> password stored in the pool_passwd file, but if in some case when pool_passwd does<br>
>> not have the entry of "some_user" and allow_clear_text_frontend_auth is enabled<br>
>> in the pgpool.conf then Pgpool-II will ask the connecting frontend to use<br>
>> clear-text-password auth method for authentication, and after receiving the<br>
>> password from the client, Pgpool-II will use that password to authenticate with<br>
>> backend using the required SCRAM auth.<br>
>> <br>
>> Note: allow_clear_text_frontend_auth only works when pool_hba.conf is not enabled.<br>
>> <br>
>> Encrypted passwords in pool_passwd file<br>
>> =======================================<br>
>> Since the SCRAM authentication method explicitly guards against the<br>
>> man-in-middle type attacks, so to use such authentication methods Pgpool-II<br>
>> requires the PostgreSQL user password to authenticate with the backend.<br>
>> But as storing the clear text password in the "pool_passwd" file is never a good<br>
>> idea, so now you can store the AES256-CBC encrypted password in the "pool_passwd".<br>
>> To store the AES encrypted password in the "pool_passwd" the password is first<br>
>> encrypted using the AES256 encryption with the user provided key and then the<br>
>> encrypted password is base64 encoded and AES prefix is added to<br>
>> the encoded string.<br>
>> <br>
>> New pg_enc utility to create encrypted passwords<br>
>> ================================================<br>
>> A new utility pg_enc is added to create AES encrypted passwords. The utility<br>
>> works similar in most ways as pg_md5 utility, with a some small differences,<br>
>> pg_enc also requires the key for encrypting the password entries. later that<br>
>> same key is required by Pgpool-II to decrypt the passwords to be used for<br>
>> authentication.<br>
>> <br>
>> Note: Pgpool-II must be build with ssl (--with-openssl) support to use<br>
>> this encrypted password feature.<br>
>> <br>
>> Providing encryption key to Pgpool-II<br>
>> =====================================<br>
>> If you have AES encrypted passwords stored in the pool_passwd file, then<br>
>> Pgpool-II will require the decryption key to decrypt the passwords before<br>
>> using them, Pgpool-II tries to read the decryption key at startup from<br>
>> the pgpoolkey file.<br>
>> By default the Pgpool-II will look for the pgpoolkey file in user's home<br>
>> directory or the file referenced by environment variable PGPOOLKEYFILE.<br>
>> You can also specify the key file using the (-k, --key-file=KEY_FILE)<br>
>> command line argument to the Pgpool-II binary.<br>
>> <br>
>> Encrypted Passwords in pgpool.conf<br>
>> ==================================<br>
>> The commit also allows to specify the AES encrypted password in the pgpool.conf<br>
>> file for healh_check_user, sr_check_user, wd_lifecheck_user and recovery_user<br>
>> users, Additionally if the password field for any of these users is left blank<br>
>> in pgpool conf then Pgpool-II will first try to get the password for that user<br>
>> from pool_passwd file before using the empty password for the connection.<br>
>> So now pgpool.conf can be made password free and single pool_passwd file can be<br>
>> used to store all passwords for internal and external user connection<br>
>> <br>
>> Documentation updates and regression test cases for the<br>
>> feature are also part of the commit.<br>
>> Thanks to jesperpedersen <<a href="mailto:jesper.pedersen@redhat.com" target="_blank">jesper.pedersen@redhat.com</a>> for helping<br>
>> in documentation and testing for the feature<br>
>> <br>
>> Branch<br>
>> ------<br>
>> master<br>
>> <br>
>> Details<br>
>> -------<br>
>> <a href="https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=26446126f36dcd34ea9032ac934aafe63acc0eee" rel="noreferrer" target="_blank">https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=26446126f36dcd34ea9032ac934aafe63acc0eee</a><br>
>> <br>
>> Modified Files<br>
>> --------------<br>
>> Makefile.in | 43 +-<br>
>> aclocal.m4 | 203 +-<br>
>> configure | 261 +--<br>
>> <a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> | 2 +-<br>
>> doc.ja/Makefile.in | 24 +-<br>
>> doc.ja/src/Makefile.in | 24 +-<br>
>> doc.ja/src/sgml/Makefile.in | 24 +-<br>
>> doc/Makefile.in | 24 +-<br>
>> doc/src/Makefile.in | 24 +-<br>
>> doc/src/sgml/Makefile.in | 24 +-<br>
>> doc/src/sgml/client-auth.sgml | 231 +-<br>
>> doc/src/sgml/connection-settings.sgml | 32 +<br>
>> doc/src/sgml/healthcheck.sgml | 23 +<br>
>> doc/src/sgml/online-recovery.sgml | 24 +<br>
>> doc/src/sgml/ref/allfiles.sgml | 1 +<br>
>> doc/src/sgml/ref/pg_enc.sgml | 165 ++<br>
>> doc/src/sgml/reference.sgml | 1 +<br>
>> doc/src/sgml/stream-check.sgml | 23 +<br>
>> doc/src/sgml/watchdog.sgml | 27 +-<br>
>> src/Makefile.am | 5 +<br>
>> src/Makefile.in | 45 +-<br>
>> src/auth/auth-scram.c | 1653 ++++++++++++++<br>
>> src/auth/pool_auth.c | 1674 +++++++++++---<br>
>> src/auth/pool_hba.c | 87 +-<br>
>> src/auth/pool_passwd.c | 377 +++-<br>
>> src/config/pool_config_variables.c | 9 +<br>
>> src/include/Makefile.in | 29 +-<br>
>> src/include/auth/md5.h | 1 -<br>
>> src/include/auth/pool_hba.h | 10 +-<br>
>> src/include/auth/pool_passwd.h | 43 +-<br>
>> src/include/auth/scram-common.h | 93 +<br>
>> src/include/auth/scram.h | 65 +<br>
>> src/include/<a href="http://config.h.in" rel="noreferrer" target="_blank">config.h.in</a> | 3 +<br>
>> src/include/pool.h | 21 +-<br>
>> src/include/pool_config.h | 8 +-<br>
>> src/include/pool_type.h | 13 +-<br>
>> src/include/utils/base64.h | 19 +<br>
>> src/include/utils/sha2.h | 116 +<br>
>> src/include/utils/ssl_utils.h | 34 +<br>
>> src/include/watchdog/wd_utils.h | 7 +-<br>
>> src/libs/Makefile.in | 24 +-<br>
>> src/libs/pcp/Makefile.in | 25 +-<br>
>> src/main/health_check.c | 8 +-<br>
>> src/main/main.c | 86 +-<br>
>> src/main/pgpool_main.c | 16 +-<br>
>> src/parser/Makefile.in | 25 +-<br>
>> src/pcp_con/recovery.c | 27 +-<br>
>> src/protocol/child.c | 227 +-<br>
>> src/sample/pgpool.conf.sample | 20 +-<br>
>> src/sample/pgpool.conf.sample-logical | 18 +-<br>
>> src/sample/pgpool.conf.sample-master-slave | 17 +<br>
>> src/sample/pgpool.conf.sample-replication | 17 +<br>
>> src/sample/pgpool.conf.sample-stream | 16 +<br>
>> src/sample/pool_hba.conf.sample | 4 +-<br>
>> src/streaming_replication/pool_worker_child.c | 10 +-<br>
>> src/test/pgpool_setup | 34 +-<br>
>> .../020.allow_clear_text_frontend_auth/test.sh | 104 +<br>
>> .../tests/021.pool_passwd_auth/pool_hba.conf | 71 +<br>
>> .../regression/tests/021.pool_passwd_auth/test.sh | 111 +<br>
>> .../022.pool_passwd_alternative_auth/pool_hba.conf | 71 +<br>
>> .../tests/022.pool_passwd_alternative_auth/test.sh | 112 +<br>
>> src/tools/Makefile.am | 2 +-<br>
>> src/tools/Makefile.in | 27 +-<br>
>> src/tools/pcp/Makefile.in | 24 +-<br>
>> src/tools/pgenc/Makefile.am | 54 +<br>
>> src/tools/pgenc/Makefile.in | 687 ++++++<br>
>> src/tools/pgenc/pg_enc.c | 449 ++++<br>
>> src/tools/pgmd5/Makefile.in | 24 +-<br>
>> src/tools/pgmd5/pool_config.c | 2318 +-------------------<br>
>> src/utils/base64.c | 196 ++<br>
>> src/utils/pool_process_reporting.c | 5 +<br>
>> src/utils/pool_ssl.c | 350 ++-<br>
>> src/utils/scram-common.c | 238 ++<br>
>> src/utils/sha2.c | 999 +++++++++<br>
>> src/utils/ssl_utils.c | 248 +++<br>
>> src/watchdog/Makefile.in | 24 +-<br>
>> src/watchdog/watchdog.c | 1 +<br>
>> src/watchdog/wd_json_data.c | 3 +<br>
>> src/watchdog/wd_lifecheck.c | 8 +-<br>
>> src/watchdog/wd_utils.c | 32 +-<br>
>> 80 files changed, 8747 insertions(+), 3477 deletions(-)<br>
>> <br>
> _______________________________________________<br>
> pgpool-committers mailing list<br>
> <a href="mailto:pgpool-committers@pgpool.net" target="_blank">pgpool-committers@pgpool.net</a><br>
> <a href="http://www.pgpool.net/mailman/listinfo/pgpool-committers" rel="noreferrer" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-committers</a><br>
</blockquote></div></div></div>