[pgpool-hackers: 3014] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II

Tatsuo Ishii ishii at sraoss.co.jp
Wed Aug 29 12:47:51 JST 2018

> Hi,
> On 08/27/2018 08:20 PM, Tatsuo Ishii wrote:
>> It's not clear in the release note but actually it's stated in the
>> doc:
>>        <note>
>> 	<para>
>> 	  The certificate authentication works between client and
>>        <productname>Pgpool-II</productname>, for the
>> 	  backend authentication you can use any other authentication method
>> 	</para>
>>        </note>
> I can send a patch to highlight this some more, if
> needed. Highlighting this in the ssl.sgml will likely be an idea.
> I still think that people will look to secure their entire stack
> though.

Yeah I think so too. However we are running out time in this
development cycle.

>> While waiting for response Usama, I wonder if you could provide full
>> patch to implement the certificate auth between Pgpool-II and
>> PostgreSQL. Because we are close to release of 4.0, and if we want to
>> push the feature, we need full patch which includes below now:
>> - Code patch
> Still missing code, but I think I'm waiting for Muhammad's feedback on
> the general direction of the patch now. Having cp->username being NULL
> is the biggest issue to get to testing.
> Delta from yesterday:
> * Implemented ssl_backend_ca_cert_dir option
> * Implemented ssl_backend_ca_crl
> Maybe, we want some new enum's to cover the _backend_ case. Also,
> _RETURN_ERROR_ maybe needs a SSL_CTX_free() case...
>> - Document patch
> That should be ok for a first draft now, as compared to yesterday.
>> - Regression test
> Currently, there are no certificate based test cases, which causes
> some problems. Especially with setups where Pgpool-II requires
> specific certificates installed in the PostgreSQL instance. Maybe add
> a manual test case, and instructions on how to set it up ?

Since each regression test includes PosgreSQL instances, it should not
be a problem. You should be able to install certificates to the
instances while running the test. Today I have added SSL connection
test (not certificate auth). Maybe that's a good start point for you.


>> So you cannot provide a working full patch for now. If so, I recommend
>> to move the feature to 4.1 development cycle.
> I would like to hear from Muhammad to see far we are off before we say
> 4.1.

Let's see what he says.

Best regards,
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php

More information about the pgpool-hackers mailing list