Re: Allow cluster owner to bypass authentication - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: Allow cluster owner to bypass authentication
Date
Msg-id 20191227195759.GW3195@tamriel.snowman.net
Whole thread Raw
In response to Re: Allow cluster owner to bypass authentication  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> >> But ... if "peer" auth allowed all the cases Peter wants to allow,
> >> we'd not be having this discussion in the first place, would we?
>
> > I'm still not entirely convinced it doesn't, but that's also because I
> > keep thinking we're talking about a sensible default here and I'm coming
> > to realize that the idea here is to let the cluster owner not just
> > bypass auth to connect as their own DB user, but to allow the cluster
> > own to connect as ANY database role,
>
> Right.
>
> > and that's not a sensible *default*
> > setting for us to have, imv.
>
> There's certainly a discussion to be had about whether that should be
> the default or not (and I too am doubtful that it should be); but I think
> Peter made a sufficient case that it'd be useful if it were easy to set
> things up that way.  Right now it's a tad painful.

I'm also concerned with the "where does this end?" question.  What if
the role is set to not allow connections?  What if the database is set
to not allow connections?  I mean, sure, it's the OS user, so they can
do *anything*, technically, but we generally want some intelligent
safe-guards in place where we make them jump through an extra hoop or
two to make a change that could really break things.  Further, some of
those "safe-guards" that we have might be "auditing requirements" to
other people who expect to see in their audit logs when a change is made
to, say, allow the OS user to log in as some other role.  I suppose as
long as this can be turned off (and, ideally, isn't the default anyway)
then hopefully it won't be too much of an issue.

> >> While the syntax you suggest above could be made to implement that,
> >> it doesn't seem very intuitive to me.  Maybe what we want is some
> >> additional option that acts like a prefab username map:
> >>
> >> local all all peer let_OS_owner_in_as_any_role
>
> > Or ... map=pg_os_user_allow
>
> > and declare 'pg_*' as system-defined special mappings, like "OS user" ->
> > "anyone".
>
> Maybe, but then we'd need to allow multiple map options.  Still, if
> the semantics are "union of what any map allows", that doesn't
> seem too hard.

I agree that doesn't seem too hard and generally seems reasonable.
Seems like we might also want an explicit way of saying '*' on the
right-hand-side, or something like it, so users could set this up for
anyone they want and not only have this option exist for the user who
happens to be logging in with the same unix uid of the PG server.

> > Allowing multiple maps to be used is a different feature.
>
> Not really; I think it is quite reasonable to want "OS owner can
> connect as anyone" plus "joe should be allowed to connect as charlie".
> If you want to add the latter to a working setup, you shouldn't have
> to suddenly figure out how to reimplement "map=pg_os_user_allow" at
> a lower level of detail.  That's a recipe for mistakes.

Eh, I wouldn't argue if someone wrote a single patch that does both, but
considering we don't support multiple maps today, I wouldn't push on
someone wanting to extend the way maps work today to require that they
implement support for multiple maps too.

Thanks,

Stephen

Attachment

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Allow cluster owner to bypass authentication
Next
From: Justin Pryzby
Date:
Subject: Re: [PATCH v1] pg_ls_tmpdir to show directories