Thread: Keystone auth in PostgreSQL
Hi All, Can i use keystone auth with PostgreSQL, it is very helpful when i am using OpenStack as a cloud service and implement DBaaS. -- ViVek Raghuwanshi Mobile -+91-09595950504 Skype - vivek_raghuwanshi
On Wed, Mar 14, 2012 at 11:38:19AM +0530, Vivek Singh Raghuwanshi wrote: > Hi All, > > Can i use keystone auth with PostgreSQL, it is very helpful when i am > using OpenStack as a cloud service and implement DBaaS. I don't think so. I have never heard of keystone auth: http://www.bitkoo.com/products-keystone-how-it-works.php -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
On Thu, Mar 15, 2012 at 1:14 PM, Bruce Momjian <bruce@momjian.us> wrote: > On Wed, Mar 14, 2012 at 11:38:19AM +0530, Vivek Singh Raghuwanshi wrote: >> Hi All, >> >> Can i use keystone auth with PostgreSQL, it is very helpful when i am >> using OpenStack as a cloud service and implement DBaaS. > > I don't think so. I have never heard of keystone auth: > > http://www.bitkoo.com/products-keystone-how-it-works.php Semantically overloaded, because I believe it refers to this: http://keystone.openstack.org/ From my vantage point, a rehash of federated authentication of some kind would be enormously useful, but it's not really clear if there are any concrete implementations worth supporting directly: I only wish it was much easier to delegate authentication so someone could implement, say, Keystone without excessive contortion. (Or maybe someone just needs to vend some advice on the "proper" way to delegate). -- fdr
Daniel Farina <daniel@heroku.com> writes:
> From my vantage point, a rehash of federated authentication of some
> kind would be enormously useful, but it's not really clear if there
> are any concrete implementations worth supporting directly: I only
> wish it was much easier to delegate authentication so someone could
> implement, say, Keystone without excessive contortion. (Or maybe
> someone just needs to vend some advice on the "proper" way to
> delegate).
Our standard answer when someone asks for $random-auth-method is to
suggest that they find a PAM module for it and use PAM. I wouldn't
want to claim that PAM is a particularly great interface for this
sort of thing, but it's out there and I don't know of any serious
competition. The alternative of supporting $random-auth-method
directly doesn't scale very nicely...
regards, tom lane
On Thu, Mar 15, 2012 at 6:38 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Our standard answer when someone asks for $random-auth-method is to > suggest that they find a PAM module for it and use PAM. I wouldn't > want to claim that PAM is a particularly great interface for this > sort of thing, but it's out there and I don't know of any serious > competition. I considered writing a PAM module to do some stuff at one time (to try to solve the two-passwords-for-a-user problem), but the non-intrinsic complexity to perform pretty simple tasks in the whole thing is pretty terrible -- it ended up being more attractive to do fairly ugly role mangling in Postgres's own authentication system. And, like you, I don't know of any serious competition to PAM in performing simple authentication delegations. -- fdr
Daniel Farina <daniel@heroku.com> writes:
> On Thu, Mar 15, 2012 at 6:38 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Our standard answer when someone asks for $random-auth-method is to
>> suggest that they find a PAM module for it and use PAM. I wouldn't
>> want to claim that PAM is a particularly great interface for this
>> sort of thing, but it's out there and I don't know of any serious
>> competition.
> I considered writing a PAM module to do some stuff at one time (to try
> to solve the two-passwords-for-a-user problem), but the non-intrinsic
> complexity to perform pretty simple tasks in the whole thing is pretty
> terrible -- it ended up being more attractive to do fairly ugly role
> mangling in Postgres's own authentication system. And, like you, I
> don't know of any serious competition to PAM in performing simple
> authentication delegations.
Yeah, I've only had to touch our PAM interface a couple of times, but
each time I came away thinking "my goodness, that's ugly and over-
complicated".
I'm not volunteering to build something better, though.
regards, tom lane