Connect as multiple users using single client certificate - Mailing list pgsql-hackers

From Kyle Bateman
Subject Connect as multiple users using single client certificate
Date
Msg-id 6dd1d5b5-b511-48aa-148a-1a0dacf574d0@batemans.org
Whole thread Raw
Responses Re: Connect as multiple users using single client certificate
List pgsql-hackers
I have some JS middleware that needs to securely connect to the 
postgresql back end.  Any number of different users may connect via 
websocket to this middleware to manage their connection to the 
database.  I want the JS process to have a client certificate 
authorizing it to connect to the database.

I have this line in my pg_hba.conf:

hostssl        all    +users        all        cert

So the idea is, I should be able to connect as any user that is a member 
of the role "users."

Under this configuration, I can currently connect as the user "users" 
but not as "joe" who is a member of the role "users."  I get:

FATAL:  certificate authentication failed for user "joe"

This makes sense as the commonName on the certificate is "users" and not 
"joe."  But the documentation for pg_hba.conf states that prefixing the 
username with a "+" should allow me to connect as any role who is a 
member of the stated role.

Is there a way to do this via client certificate authorization?  I have 
no way of knowing the specific usernames ahead of time, as new users may 
be created in the database (thousands) and I can't really be creating 
separate certificates for every different user.




pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: stress test for parallel workers
Next
From: Justin Pryzby
Date:
Subject: Re: v12.0: ERROR: could not find pathkey item to sort