[pgpool-hackers: 3010] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II
Jesper Pedersen
jesper.pedersen at redhat.com
Wed Aug 29 05:07:46 JST 2018
Hi,
On 08/27/2018 08:20 PM, Tatsuo Ishii wrote:
> It's not clear in the release note but actually it's stated in the
> doc:
>
> <note>
> <para>
> The certificate authentication works between client and
> <productname>Pgpool-II</productname>, for the
> backend authentication you can use any other authentication method
> </para>
> </note>
>
I can send a patch to highlight this some more, if needed. Highlighting
this in the ssl.sgml will likely be an idea.
I still think that people will look to secure their entire stack though.
> While waiting for response Usama, I wonder if you could provide full
> patch to implement the certificate auth between Pgpool-II and
> PostgreSQL. Because we are close to release of 4.0, and if we want to
> push the feature, we need full patch which includes below now:
>
> - Code patch
Still missing code, but I think I'm waiting for Muhammad's feedback on
the general direction of the patch now. Having cp->username being NULL
is the biggest issue to get to testing.
Delta from yesterday:
* Implemented ssl_backend_ca_cert_dir option
* Implemented ssl_backend_ca_crl
Maybe, we want some new enum's to cover the _backend_ case. Also,
_RETURN_ERROR_ maybe needs a SSL_CTX_free() case...
> - Document patch
That should be ok for a first draft now, as compared to yesterday.
> - Regression test
>
Currently, there are no certificate based test cases, which causes some
problems. Especially with setups where Pgpool-II requires specific
certificates installed in the PostgreSQL instance. Maybe add a manual
test case, and instructions on how to set it up ?
> So you cannot provide a working full patch for now. If so, I recommend
> to move the feature to 4.1 development cycle.
>
I would like to hear from Muhammad to see far we are off before we say 4.1.
Best regards,
Jesper
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Rename-ssl_-to-ssl_pgpool-and-introduce-ssl_backend-_v2.patch
Type: text/x-patch
Size: 41476 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20180828/5134172b/attachment-0001.bin>
More information about the pgpool-hackers
mailing list