[pgpool-hackers: 3004] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II

Tatsuo Ishii ishii at sraoss.co.jp
Tue Aug 28 09:20:58 JST 2018 

Hi Jesper,

> Hi,
> 
> On 08/27/2018 04:26 AM, Tatsuo Ishii wrote:
>> Thanks for the patch.
>> I assume this is going to be handled in 4.1 development cycle unless
>> otherwise Usama wants to import into 4.0.
>> 
> 
> I think that people will assume that SSL can be used in the entire
> stack if the release notes state support for certificate
> authentication; currently Pgpool-II <- SSL -> PostgreSQL doesn't work.

It's not clear in the release note but actually it's stated in the
doc:

      <note>
	<para>
	  The certificate authentication works between client and
      <productname>Pgpool-II</productname>, for the
	  backend authentication you can use any other authentication method
	</para>
      </note>

> I see that Client <- SSL -> Pgpool-II support has a benefit if you
> assume that Pgpool-II is deployed on an internal and secure network,
> but I think it would be better that we fix everything for 4.0.
> 
> The attached patch is further along, and I believe that most of the
> changes will be in pool-ssl.c now.

While waiting for response Usama, I wonder if you could provide full
patch to implement the certificate auth between Pgpool-II and
PostgreSQL. Because we are close to release of 4.0, and if we want to
push the feature, we need full patch which includes below now:

- Code patch
- Document patch
- Regression test

> At least we should consider renaming the ssl_ configuration options,
> so they don't have to be renamed in 4.1.
> 
> I renamed 'ssl_backend_cert_auth' to 'ssl_backend_ca_cert' and
> 'ssl_backend_cert_revoke_list' to 'ssl_backend_ca_crl', and exposed
> the options. There are a number of TODOs in pool-ssl.c, so it is still
> non-working.

So you cannot provide a working full patch for now. If so, I recommend
to move the feature to 4.1 development cycle.

> BTW, do we need 'ssl_ca_cert_dir' ? PostgreSQL doesn't expose such an
> option, so maybe NULL is better ? See their root_cert_dir code.
> 
> Thanks for your work on 0000419 !

You are welcome!

> Best regards,
>  Jesper

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp

More information about the pgpool-hackers mailing list