[pgpool-committers: 5061] Re: pgpool: Feature: Add SCRAM and Certificate authentication support
Tatsuo Ishii
ishii at sraoss.co.jp
Fri Aug 17 15:49:40 JST 2018
Usama,
To run pgindent (the code causes error on pgindent), I ifdef out it for now.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
From: Tatsuo Ishii <ishii at sraoss.co.jp>
Subject: [pgpool-committers: 5052] Re: pgpool: Feature: Add SCRAM and Certificate authentication support
Date: Fri, 17 Aug 2018 09:38:08 +0900 (JST)
Message-ID: <20180817.093808.2104436097708702867.t-ishii at sraoss.co.jp>
> Usama,
>
> In this commit I see below in main/main.c:
>
> //#ifdef USE_SSL
> // /* global ssl init */
> //#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined (LIBRESSL_VERSION_NUMBER))
> // OPENSSL_init_ssl(0, NULL);
> //#else
> // SSL_library_init();
> //#endif
> // SSL_load_error_strings();
> //#endif /* USE_SSL */
>
> Can we remove the code safely or are you still working on this part?
>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
>
> From: Muhammad Usama <m.usama at gmail.com>
> Subject: [pgpool-committers: 5051] pgpool: Feature: Add SCRAM and Certificate authentication support
> Date: Thu, 16 Aug 2018 16:45:03 +0000
> Message-ID: <E1fqLOR-0002Yf-AY at gothos.postgresql.org>
>
>> Feature: Add SCRAM and Certificate authentication support
>>
>> New feature to add scram and cert authentication method support in Pgpool-II.
>> Apart from supporting the new authentication methods the commit also includes
>> the following enhancements and changes in the authentication framework
>> of Pgpool-II
>>
>> Different auth methods for frontend and backend for user session
>> ================================================================
>> Now it possible to use different authentication method for client
>> application and backend PostgreSQL servers.
>> For example, a client application can use scram-sha-256 to connect to Pgpool-II
>> which in turn can use trust or md5 authentication to connect to
>> PostgreSQL backend for the same session.
>>
>> Use MD5 and SCRAM without pool_passwd
>> =====================================
>> New configuration parameter allow_clear_text_frontend_auth, enables the Pgpool-II
>> to use clear-text-password authentication with frontend clients when pool_passwd
>> file does not contains the password for the connecting user.
>> For example: suppose PostgreSQL servers has a user named "some_user" which can
>> connect to database using SCRAM authentication, Now for this "some_user" to
>> connect to PostgreSQL using SCRAM through Pgpool-II we must have the some_user's
>> password stored in the pool_passwd file, but if in some case when pool_passwd does
>> not have the entry of "some_user" and allow_clear_text_frontend_auth is enabled
>> in the pgpool.conf then Pgpool-II will ask the connecting frontend to use
>> clear-text-password auth method for authentication, and after receiving the
>> password from the client, Pgpool-II will use that password to authenticate with
>> backend using the required SCRAM auth.
>>
>> Note: allow_clear_text_frontend_auth only works when pool_hba.conf is not enabled.
>>
>> Encrypted passwords in pool_passwd file
>> =======================================
>> Since the SCRAM authentication method explicitly guards against the
>> man-in-middle type attacks, so to use such authentication methods Pgpool-II
>> requires the PostgreSQL user password to authenticate with the backend.
>> But as storing the clear text password in the "pool_passwd" file is never a good
>> idea, so now you can store the AES256-CBC encrypted password in the "pool_passwd".
>> To store the AES encrypted password in the "pool_passwd" the password is first
>> encrypted using the AES256 encryption with the user provided key and then the
>> encrypted password is base64 encoded and AES prefix is added to
>> the encoded string.
>>
>> New pg_enc utility to create encrypted passwords
>> ================================================
>> A new utility pg_enc is added to create AES encrypted passwords. The utility
>> works similar in most ways as pg_md5 utility, with a some small differences,
>> pg_enc also requires the key for encrypting the password entries. later that
>> same key is required by Pgpool-II to decrypt the passwords to be used for
>> authentication.
>>
>> Note: Pgpool-II must be build with ssl (--with-openssl) support to use
>> this encrypted password feature.
>>
>> Providing encryption key to Pgpool-II
>> =====================================
>> If you have AES encrypted passwords stored in the pool_passwd file, then
>> Pgpool-II will require the decryption key to decrypt the passwords before
>> using them, Pgpool-II tries to read the decryption key at startup from
>> the pgpoolkey file.
>> By default the Pgpool-II will look for the pgpoolkey file in user's home
>> directory or the file referenced by environment variable PGPOOLKEYFILE.
>> You can also specify the key file using the (-k, --key-file=KEY_FILE)
>> command line argument to the Pgpool-II binary.
>>
>> Encrypted Passwords in pgpool.conf
>> ==================================
>> The commit also allows to specify the AES encrypted password in the pgpool.conf
>> file for healh_check_user, sr_check_user, wd_lifecheck_user and recovery_user
>> users, Additionally if the password field for any of these users is left blank
>> in pgpool conf then Pgpool-II will first try to get the password for that user
>> from pool_passwd file before using the empty password for the connection.
>> So now pgpool.conf can be made password free and single pool_passwd file can be
>> used to store all passwords for internal and external user connection
>>
>> Documentation updates and regression test cases for the
>> feature are also part of the commit.
>> Thanks to jesperpedersen <jesper.pedersen at redhat.com> for helping
>> in documentation and testing for the feature
>>
>> Branch
>> ------
>> master
>>
>> Details
>> -------
>> https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=26446126f36dcd34ea9032ac934aafe63acc0eee
>>
>> Modified Files
>> --------------
>> Makefile.in | 43 +-
>> aclocal.m4 | 203 +-
>> configure | 261 +--
>> configure.ac | 2 +-
>> doc.ja/Makefile.in | 24 +-
>> doc.ja/src/Makefile.in | 24 +-
>> doc.ja/src/sgml/Makefile.in | 24 +-
>> doc/Makefile.in | 24 +-
>> doc/src/Makefile.in | 24 +-
>> doc/src/sgml/Makefile.in | 24 +-
>> doc/src/sgml/client-auth.sgml | 231 +-
>> doc/src/sgml/connection-settings.sgml | 32 +
>> doc/src/sgml/healthcheck.sgml | 23 +
>> doc/src/sgml/online-recovery.sgml | 24 +
>> doc/src/sgml/ref/allfiles.sgml | 1 +
>> doc/src/sgml/ref/pg_enc.sgml | 165 ++
>> doc/src/sgml/reference.sgml | 1 +
>> doc/src/sgml/stream-check.sgml | 23 +
>> doc/src/sgml/watchdog.sgml | 27 +-
>> src/Makefile.am | 5 +
>> src/Makefile.in | 45 +-
>> src/auth/auth-scram.c | 1653 ++++++++++++++
>> src/auth/pool_auth.c | 1674 +++++++++++---
>> src/auth/pool_hba.c | 87 +-
>> src/auth/pool_passwd.c | 377 +++-
>> src/config/pool_config_variables.c | 9 +
>> src/include/Makefile.in | 29 +-
>> src/include/auth/md5.h | 1 -
>> src/include/auth/pool_hba.h | 10 +-
>> src/include/auth/pool_passwd.h | 43 +-
>> src/include/auth/scram-common.h | 93 +
>> src/include/auth/scram.h | 65 +
>> src/include/config.h.in | 3 +
>> src/include/pool.h | 21 +-
>> src/include/pool_config.h | 8 +-
>> src/include/pool_type.h | 13 +-
>> src/include/utils/base64.h | 19 +
>> src/include/utils/sha2.h | 116 +
>> src/include/utils/ssl_utils.h | 34 +
>> src/include/watchdog/wd_utils.h | 7 +-
>> src/libs/Makefile.in | 24 +-
>> src/libs/pcp/Makefile.in | 25 +-
>> src/main/health_check.c | 8 +-
>> src/main/main.c | 86 +-
>> src/main/pgpool_main.c | 16 +-
>> src/parser/Makefile.in | 25 +-
>> src/pcp_con/recovery.c | 27 +-
>> src/protocol/child.c | 227 +-
>> src/sample/pgpool.conf.sample | 20 +-
>> src/sample/pgpool.conf.sample-logical | 18 +-
>> src/sample/pgpool.conf.sample-master-slave | 17 +
>> src/sample/pgpool.conf.sample-replication | 17 +
>> src/sample/pgpool.conf.sample-stream | 16 +
>> src/sample/pool_hba.conf.sample | 4 +-
>> src/streaming_replication/pool_worker_child.c | 10 +-
>> src/test/pgpool_setup | 34 +-
>> .../020.allow_clear_text_frontend_auth/test.sh | 104 +
>> .../tests/021.pool_passwd_auth/pool_hba.conf | 71 +
>> .../regression/tests/021.pool_passwd_auth/test.sh | 111 +
>> .../022.pool_passwd_alternative_auth/pool_hba.conf | 71 +
>> .../tests/022.pool_passwd_alternative_auth/test.sh | 112 +
>> src/tools/Makefile.am | 2 +-
>> src/tools/Makefile.in | 27 +-
>> src/tools/pcp/Makefile.in | 24 +-
>> src/tools/pgenc/Makefile.am | 54 +
>> src/tools/pgenc/Makefile.in | 687 ++++++
>> src/tools/pgenc/pg_enc.c | 449 ++++
>> src/tools/pgmd5/Makefile.in | 24 +-
>> src/tools/pgmd5/pool_config.c | 2318 +-------------------
>> src/utils/base64.c | 196 ++
>> src/utils/pool_process_reporting.c | 5 +
>> src/utils/pool_ssl.c | 350 ++-
>> src/utils/scram-common.c | 238 ++
>> src/utils/sha2.c | 999 +++++++++
>> src/utils/ssl_utils.c | 248 +++
>> src/watchdog/Makefile.in | 24 +-
>> src/watchdog/watchdog.c | 1 +
>> src/watchdog/wd_json_data.c | 3 +
>> src/watchdog/wd_lifecheck.c | 8 +-
>> src/watchdog/wd_utils.c | 32 +-
>> 80 files changed, 8747 insertions(+), 3477 deletions(-)
>>
> _______________________________________________
> pgpool-committers mailing list
> pgpool-committers at pgpool.net
> http://www.pgpool.net/mailman/listinfo/pgpool-committers
More information about the pgpool-committers
mailing list