Re: Allow matching whole DN from a client certificate - Mailing list pgsql-hackers

From Daniel Gustafsson
Subject Re: Allow matching whole DN from a client certificate
Date
Msg-id 9EDFE44E-DF64-4C4F-BE89-9710B7908976@yesql.se
Whole thread Raw
In response to Re: Allow matching whole DN from a client certificate  (Andrew Dunstan <andrew@dunslane.net>)
Responses Re: Allow matching whole DN from a client certificate
List pgsql-hackers
> On 28 Jan 2021, at 23:10, Andrew Dunstan <andrew@dunslane.net> wrote:
> On 1/28/21 11:39 AM, Jacob Champion wrote:
>>
>> Unfortunately I don't really know what that solution should look like.
>> A DSL for filtering on RDNs would be a lot of work, but it could
>> potentially allow LDAP to be mapped through pg_ident as well
>
> In the end it will be up to users to come up with expressions that meet
> their usage. Yes they could get it wrong, but then they can get so many
> things wrong ;-)

My main concern with this isn't that it's easy to get it wrong, but that it may
end up being hard to get it right (with false positives in the auth path as a
result). Right now I'm not sure where it leans.

Maybe it will be easier to judge the proposal when the documentation has been
updated warnings for the potential pitfalls?

--
Daniel Gustafsson        https://vmware.com/




pgsql-hackers by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: Dumping/restoring fails on inherited generated column
Next
From: vignesh C
Date:
Subject: Re: Printing backtrace of postgres processes