[pgpool-hackers: 2985] Re: New feature: supporting SCRAM and CERT based authentication in Pgpool-II

Jesper Pedersen jesper.pedersen at redhat.com
Fri Aug 24 02:53:30 JST 2018


On 08/22/2018 01:45 PM, Jesper Pedersen wrote:
> Have somebody else tried this ?

Ok, the attached hack allows pgpool-II to connect to PostgreSQL with the

hostssl  all  all  all  scram-sha-256 clientcert=1

configuration. Of course it is just a single user, and more work needs 
to be done.

However, it brings up the question about the configuration of SSL in pgpool.

We have a couple of scenarios

1) Client <--     --> pgpool <--     --> PostgreSQL
2) Client <-- SSL --> pgpool <--     --> PostgreSQL
3) Client <--     --> pgpool <-- SSL --> PostgreSQL
4) Client <-- SSL --> pgpool <-- SSL --> PostgreSQL

For 3) and 4) we need to have a way to map a user to a certificate which 
then is used for the pgpool <-> PostgreSQL connection.

Also, there is the question if we can assume that the CA is the same for 
both pgpool and PostgreSQL.

I think we should add a _pgpool_ identifier to the SSL configuration to 
make it clear that its 2) that is being supported at the moment, like 
ssl_pgpool_cert and so on. 3) and 4) could be ssl_backend_ based ones.

Thoughts ?

Best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_hack.patch
Type: text/x-patch
Size: 821 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20180823/055f8acd/attachment.bin>

More information about the pgpool-hackers mailing list