Re: Proposal: Support custom authentication methods using hooks - Mailing list pgsql-hackers

From Peter Eisentraut
Subject Re: Proposal: Support custom authentication methods using hooks
Date
Msg-id a579b843-4b92-be7a-7417-085644805466@enterprisedb.com
Whole thread Raw
In response to Proposal: Support custom authentication methods using hooks  (samay sharma <smilingsamay@gmail.com>)
Responses Re: Proposal: Support custom authentication methods using hooks
Re: Proposal: Support custom authentication methods using hooks
Re: Proposal: Support custom authentication methods using hooks
List pgsql-hackers
On 01.03.22 22:34, Andres Freund wrote:
> The cases I've heard about are about centralizing auth across multiple cloud
> services. Including secret management in some form. E.g. allowing an
> application to auth to postgres, redis and having the secret provided by
> infrastructure, rather than having to hardcode it in config or such.
> 
> I can't see application developers configuring kerberos and I don't think
> LDAP, PAM, Radius are a great answer either, due to the plaintext requirement
> alone? LDAP is pretty clearly dying technology, PAM is fragile complicated C
> stuff that's not portable across OSs. Radius is probably the most realistic,
> but at least as implemented doesn't seem flexible enough (e.g. no access to
> group memberships etc).
> 
> Nor does baking stuff like that in seem realistic to me, it'll presumably be
> too cloud provider specific.

Let's gather some more information on this.  PostgreSQL should support 
the authentication that many people want to use out of the box.  I don't 
think it would be good to be at a point where all the built-in methods 
are outdated and if you want to use the good stuff you have to hunt for 
plugins.  The number of different cloud APIs is effectively small.  I 
expect that there are a lot of similarities, like they probably all need 
support for http calls, they might need support for caching lookups, 
etc.  OIDC was mentioned elsewhere.  That's a standard.  Is that 
compatible with any cloud providers?  Would that be enough for many users?



pgsql-hackers by date:

Previous
From: "shiy.fnst@fujitsu.com"
Date:
Subject: RE: Failed transaction statistics to measure the logical replication progress
Next
From: Kyotaro Horiguchi
Date:
Subject: Re: Two noncritical bugs of pg_waldump