Support kerberos authentication for postgres_fdw - Mailing list pgsql-hackers

From Peifeng Qiu
Subject Support kerberos authentication for postgres_fdw
Date
Msg-id CO1PR05MB8023E2A7193E63497229E705A8189@CO1PR05MB8023.namprd05.prod.outlook.com
Whole thread Raw
Responses Re: Support kerberos authentication for postgres_fdw
List pgsql-hackers
Hi hackers,

I'd like to add kerberos authentication support for postgres_fdw by adding two
options to user mapping: krb_client_keyfile and gssencmode.

In the backend we have krb_server_keyfile option to specify a keytab file to
be used by postgres server, krb_client_keyfile is doing mostly the same thing.
This allows postgres_fdw(backend process) to authenticate on behalf of a
logged in user who is querying the foreign table. The credential is kept in
the backend process memory instead of local file to prevent abuse by users
on the same host.

Because backend process is accessing the filesystem of the server host, this
option should only be manipulated by super user. Otherwise, normal user may
steal the identity or probe the server filesystem. This principal is the same to
sslcert and sslkey options in user mapping.

Thoughts?

Best regards,
Peifeng




Attachment

pgsql-hackers by date:

Previous
From: "tanghy.fnst@fujitsu.com"
Date:
Subject: RE: [HACKERS] logical decoding of two-phase transactions
Next
From: Noah Misch
Date:
Subject: Re: Preventing abort() and exit() calls in libpq