[pgpool-hackers: 3010] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II

Jesper Pedersen jesper.pedersen at redhat.com
Wed Aug 29 05:07:46 JST 2018


Hi,

On 08/27/2018 08:20 PM, Tatsuo Ishii wrote:
> It's not clear in the release note but actually it's stated in the
> doc:
> 
>        <note>
> 	<para>
> 	  The certificate authentication works between client and
>        <productname>Pgpool-II</productname>, for the
> 	  backend authentication you can use any other authentication method
> 	</para>
>        </note>
>

I can send a patch to highlight this some more, if needed. Highlighting 
this in the ssl.sgml will likely be an idea.

I still think that people will look to secure their entire stack though.

> While waiting for response Usama, I wonder if you could provide full
> patch to implement the certificate auth between Pgpool-II and
> PostgreSQL. Because we are close to release of 4.0, and if we want to
> push the feature, we need full patch which includes below now:
> 
> - Code patch

Still missing code, but I think I'm waiting for Muhammad's feedback on 
the general direction of the patch now. Having cp->username being NULL 
is the biggest issue to get to testing.

Delta from yesterday:

* Implemented ssl_backend_ca_cert_dir option
* Implemented ssl_backend_ca_crl

Maybe, we want some new enum's to cover the _backend_ case. Also, 
_RETURN_ERROR_ maybe needs a SSL_CTX_free() case...

> - Document patch

That should be ok for a first draft now, as compared to yesterday.

> - Regression test
> 

Currently, there are no certificate based test cases, which causes some 
problems. Especially with setups where Pgpool-II requires specific 
certificates installed in the PostgreSQL instance. Maybe add a manual 
test case, and instructions on how to set it up ?

> So you cannot provide a working full patch for now. If so, I recommend
> to move the feature to 4.1 development cycle.
> 

I would like to hear from Muhammad to see far we are off before we say 4.1.

Best regards,
  Jesper
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Rename-ssl_-to-ssl_pgpool-and-introduce-ssl_backend-_v2.patch
Type: text/x-patch
Size: 41476 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20180828/5134172b/attachment-0001.bin>


More information about the pgpool-hackers mailing list