[pgpool-hackers: 2998] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II
Tatsuo Ishii
ishii at sraoss.co.jp
Mon Aug 27 11:05:25 JST 2018
Usama,
Can you comment on this? Especially this:
> For 3) and 4) we need to have a way to map a user to a certificate
> which then is used for the pgpool <-> PostgreSQL connection.
> Hi,
>
> On 08/22/2018 01:45 PM, Jesper Pedersen wrote:
>> Have somebody else tried this ?
>>
>
> Ok, the attached hack allows pgpool-II to connect to PostgreSQL with
> the
>
> pg_hba.conf:
> ------------
> hostssl all all all scram-sha-256 clientcert=1
>
> configuration. Of course it is just a single user, and more work needs
> to be done.
>
> However, it brings up the question about the configuration of SSL in
> pgpool.
>
> We have a couple of scenarios
>
> 1) Client <-- --> pgpool <-- --> PostgreSQL
> 2) Client <-- SSL --> pgpool <-- --> PostgreSQL
> 3) Client <-- --> pgpool <-- SSL --> PostgreSQL
> 4) Client <-- SSL --> pgpool <-- SSL --> PostgreSQL
>
> For 3) and 4) we need to have a way to map a user to a certificate
> which then is used for the pgpool <-> PostgreSQL connection.
>
> Also, there is the question if we can assume that the CA is the same
> for both pgpool and PostgreSQL.
>
> I think we should add a _pgpool_ identifier to the SSL configuration
> to make it clear that its 2) that is being supported at the moment,
> like ssl_pgpool_cert and so on. 3) and 4) could be ssl_backend_ based
> ones.
>
> Thoughts ?
>
> Best regards,
> Jesper
More information about the pgpool-hackers
mailing list