Proposal: Support custom authentication methods using hooks - Mailing list pgsql-hackers

From samay sharma
Subject Proposal: Support custom authentication methods using hooks
Date
Msg-id CAJxrbyxTRn5P8J-p+wHLwFahK5y56PhK28VOb55jqMO05Y-DJw@mail.gmail.com
Whole thread Raw
Responses Re: Proposal: Support custom authentication methods using hooks
Re: Proposal: Support custom authentication methods using hooks
Re: Proposal: Support custom authentication methods using hooks
List pgsql-hackers
Hi all,

I wanted to submit a patch to expose 2 new hooks (one for the authentication check and another one for error reporting) in auth.c. These will allow users to implement their own authentication methods for Postgres or add custom logic around authentication.

A use case where this is useful are environments where you want authentication to be centrally managed across different services. This is a common deployment model for cloud providers where customers like to use single sign on and authenticate across different services including Postgres. Implementing this now is tricky as it requires syncing that authentication method's credentials with Postgres (and that gets trickier with TTL/expiry etc.). With these hooks, you can implement an extension to check credentials directly using the authentication provider's APIs.

To enable this, I've proposed adding a new authentication method "custom" which can be specified in pg_hba.conf and takes a mandatory argument  "provider" specifying which authentication provider to use. I've also moved a couple static functions to headers so that extensions can call them.

Sample pg_hba.conf line to use a custom provider:

host    all             all             ::1/128                 custom provider=test


As an example and a test case, I've added an extension named test_auth_provider in src/test/modules which fetches credentials from a pre-defined array. I've also added tap tests for the extension to test this functionality.


One constraint in the current implementation is that we allow only one authentication provider to be loaded at a time. In the future, we can add more functionality to maintain an array of hooks and call the appropriate one based on the provider name in the pg_hba line.


A couple of my tests are flaky and sometimes fail in CI. I think the reason for that is I don't wait for pg_hba reload to be processed before checking logs for error messages. I didn't find an immediate way to address that and I'm looking into it but wanted to get an initial version out for feedback on the approach taken and interfaces. Once those get finalized, I can submit a patch to add docs as well.


Looking forward to your feedback.


Regards,

Samay

Attachment

pgsql-hackers by date:

Previous
From: Jacob Champion
Date:
Subject: Re: [PATCH] Support pg_ident mapping for LDAP
Next
From: Andres Freund
Date:
Subject: Re: O(n) tasks cause lengthy startups and checkpoints