Home > mailing lists

pgsql: Overhaul pg_hba.conf clientcert's API - Mailing list pgsql-committers

From	Bruce Momjian
Subject	pgsql: Overhaul pg_hba.conf clientcert's API
Date	October 5, 2020 22:48:53
Msg-id	E1kPWTd-0003C8-I6@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

Overhaul pg_hba.conf clientcert's API

Since PG 12, clientcert no longer supported only on/off, so remove 1/0
as possible values, and instead support only the text strings
'verify-ca' and 'verify-full'.

Remove support for 'no-verify' since that is possible by just not
specifying clientcert.

Also, throw an error if 'verify-ca' is used and 'cert' authentication is
used, since cert authentication requires verify-full.

Also improve the docs.

THIS IS A BACKWARD INCOMPATIBLE API CHANGE.

Reported-by: Kyotaro Horiguchi

Discussion: https://postgr.es/m/20200716.093012.1627751694396009053.horikyota.ntt@gmail.com

Author: Kyotaro Horiguchi

Backpatch-through: master

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/253f1025da8c8d6e52f96f764658b76eb59290ad

Modified Files
--------------
doc/src/sgml/client-auth.sgml | 11 ++++-------
doc/src/sgml/runtime.sgml     |  5 ++---
src/backend/libpq/hba.c       | 18 +++++++-----------
3 files changed, 13 insertions(+), 21 deletions(-)

pgsql-committers by date:

From: Tom Lane
Date: 05 October 2020, 20:40:35
Subject: pgsql: Include the process PID in assertion-failure messages.

From: Bruce Momjian
Date: 05 October 2020, 23:07:29
Subject: pgsql: docs: clarify the interaction of clientcert and cert auth.

pgsql: Overhaul pg_hba.conf clientcert's API - Mailing list pgsql-committers

Previous

Next