[pgpool-hackers: 2985] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II
Jesper Pedersen
jesper.pedersen at redhat.com
Fri Aug 24 02:53:30 JST 2018
Hi,
On 08/22/2018 01:45 PM, Jesper Pedersen wrote:
> Have somebody else tried this ?
>
Ok, the attached hack allows pgpool-II to connect to PostgreSQL with the
pg_hba.conf:
------------
hostssl all all all scram-sha-256 clientcert=1
configuration. Of course it is just a single user, and more work needs
to be done.
However, it brings up the question about the configuration of SSL in pgpool.
We have a couple of scenarios
1) Client <-- --> pgpool <-- --> PostgreSQL
2) Client <-- SSL --> pgpool <-- --> PostgreSQL
3) Client <-- --> pgpool <-- SSL --> PostgreSQL
4) Client <-- SSL --> pgpool <-- SSL --> PostgreSQL
For 3) and 4) we need to have a way to map a user to a certificate which
then is used for the pgpool <-> PostgreSQL connection.
Also, there is the question if we can assume that the CA is the same for
both pgpool and PostgreSQL.
I think we should add a _pgpool_ identifier to the SSL configuration to
make it clear that its 2) that is being supported at the moment, like
ssl_pgpool_cert and so on. 3) and 4) could be ssl_backend_ based ones.
Thoughts ?
Best regards,
Jesper
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_hack.patch
Type: text/x-patch
Size: 821 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20180823/055f8acd/attachment.bin>
More information about the pgpool-hackers
mailing list