[pgpool-hackers: 3014] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II

Tatsuo Ishii ishii at sraoss.co.jp
Wed Aug 29 12:47:51 JST 2018


> Hi,
> 
> On 08/27/2018 08:20 PM, Tatsuo Ishii wrote:
>> It's not clear in the release note but actually it's stated in the
>> doc:
>>        <note>
>> 	<para>
>> 	  The certificate authentication works between client and
>>        <productname>Pgpool-II</productname>, for the
>> 	  backend authentication you can use any other authentication method
>> 	</para>
>>        </note>
>>
> 
> I can send a patch to highlight this some more, if
> needed. Highlighting this in the ssl.sgml will likely be an idea.
> 
> I still think that people will look to secure their entire stack
> though.

Yeah I think so too. However we are running out time in this
development cycle.

>> While waiting for response Usama, I wonder if you could provide full
>> patch to implement the certificate auth between Pgpool-II and
>> PostgreSQL. Because we are close to release of 4.0, and if we want to
>> push the feature, we need full patch which includes below now:
>> - Code patch
> 
> Still missing code, but I think I'm waiting for Muhammad's feedback on
> the general direction of the patch now. Having cp->username being NULL
> is the biggest issue to get to testing.
> 
> Delta from yesterday:
> 
> * Implemented ssl_backend_ca_cert_dir option
> * Implemented ssl_backend_ca_crl
> 
> Maybe, we want some new enum's to cover the _backend_ case. Also,
> _RETURN_ERROR_ maybe needs a SSL_CTX_free() case...
> 
>> - Document patch
> 
> That should be ok for a first draft now, as compared to yesterday.
> 
>> - Regression test
>> 
> 
> Currently, there are no certificate based test cases, which causes
> some problems. Especially with setups where Pgpool-II requires
> specific certificates installed in the PostgreSQL instance. Maybe add
> a manual test case, and instructions on how to set it up ?

Since each regression test includes PosgreSQL instances, it should not
be a problem. You should be able to install certificates to the
instances while running the test. Today I have added SSL connection
test (not certificate auth). Maybe that's a good start point for you.

https://git.postgresql.org/gitweb/?p=pgpool2.git;a=commitdiff;h=e08b707274e9ff7eaf11d4bc8928e64b2530c720

>> So you cannot provide a working full patch for now. If so, I recommend
>> to move the feature to 4.1 development cycle.
>> 
> 
> I would like to hear from Muhammad to see far we are off before we say
> 4.1.

Let's see what he says.

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp


More information about the pgpool-hackers mailing list