Re: PGPool and replication enforcement On "multi-master" - Mailing list pgsql-general

From Chris Travers
Subject Re: PGPool and replication enforcement On "multi-master"
Date
Msg-id 435552CD.6060501@metatrontech.com
Whole thread Raw
In response to Re: On "multi-master"  (Andrew Sullivan <ajs@crankycanuck.ca>)
List pgsql-general
Andrew Sullivan wrote:

>On Sat, Oct 15, 2005 at 06:04:54PM -0700, Chris Travers wrote:
>
>
>>Out of curiosity, what is wrong with requiring client SSL certs to
>>access the system and only issuing them to the PGPool system (or using a
>>different CA if you need to issue client certs to the end users)?  This
>>
>>
>
>Hmm, I like this, although client SSL certs still didn't work with
>JDBC last I checked, so it won't solve all the problems.  But you're
>right, this would mostly solve the problem I was thinking of,
>provided it was described correctly to the (mostly-clueless)
>technology rule-producers.
>
Oops.  I guess PgPool doesn't support SSL connections to backend
servers.  Too bad :-(  This would have been a really nice elegant
solution to this problem.  It looks like PgCluster may support SSL, I am
not sure....  The problem is that one needs some way of authenticating
the client not just the user.  SSL would work for that.

I can't think of any other way to authenticate the client while still
allowing one to authenticate the user afterwards...  And I doubt that it
is possible to use Kerberos to authenticate the daemon as well as the
end user...

Best Wishes,
Chris Travers
Metatron Technology Consulting

Attachment

pgsql-general by date:

Previous
From: Steve V
Date:
Subject: Re: A good client
Next
From: Tony Caduto
Date:
Subject: Re: A good client