[pgpool-hackers: 3014] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II
Tatsuo Ishii
ishii at sraoss.co.jp
Wed Aug 29 12:47:51 JST 2018
> Hi,
>
> On 08/27/2018 08:20 PM, Tatsuo Ishii wrote:
>> It's not clear in the release note but actually it's stated in the
>> doc:
>> <note>
>> <para>
>> The certificate authentication works between client and
>> <productname>Pgpool-II</productname>, for the
>> backend authentication you can use any other authentication method
>> </para>
>> </note>
>>
>
> I can send a patch to highlight this some more, if
> needed. Highlighting this in the ssl.sgml will likely be an idea.
>
> I still think that people will look to secure their entire stack
> though.
Yeah I think so too. However we are running out time in this
development cycle.
>> While waiting for response Usama, I wonder if you could provide full
>> patch to implement the certificate auth between Pgpool-II and
>> PostgreSQL. Because we are close to release of 4.0, and if we want to
>> push the feature, we need full patch which includes below now:
>> - Code patch
>
> Still missing code, but I think I'm waiting for Muhammad's feedback on
> the general direction of the patch now. Having cp->username being NULL
> is the biggest issue to get to testing.
>
> Delta from yesterday:
>
> * Implemented ssl_backend_ca_cert_dir option
> * Implemented ssl_backend_ca_crl
>
> Maybe, we want some new enum's to cover the _backend_ case. Also,
> _RETURN_ERROR_ maybe needs a SSL_CTX_free() case...
>
>> - Document patch
>
> That should be ok for a first draft now, as compared to yesterday.
>
>> - Regression test
>>
>
> Currently, there are no certificate based test cases, which causes
> some problems. Especially with setups where Pgpool-II requires
> specific certificates installed in the PostgreSQL instance. Maybe add
> a manual test case, and instructions on how to set it up ?
Since each regression test includes PosgreSQL instances, it should not
be a problem. You should be able to install certificates to the
instances while running the test. Today I have added SSL connection
test (not certificate auth). Maybe that's a good start point for you.
https://git.postgresql.org/gitweb/?p=pgpool2.git;a=commitdiff;h=e08b707274e9ff7eaf11d4bc8928e64b2530c720
>> So you cannot provide a working full patch for now. If so, I recommend
>> to move the feature to 4.1 development cycle.
>>
>
> I would like to hear from Muhammad to see far we are off before we say
> 4.1.
Let's see what he says.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
More information about the pgpool-hackers
mailing list