[pgpool-committers: 5062] Re: pgpool: Feature: Add SCRAM and Certificate authentication support
Muhammad Usama
m.usama at gmail.com
Fri Aug 17 16:06:23 JST 2018
Hi
I kept that piece of code for comparing the startup timing. we can safely
remove it.
Sorry for the noice.
Thanks
Best regards
Muhammad Usama
On Fri, Aug 17, 2018 at 11:49 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
> Usama,
>
> To run pgindent (the code causes error on pgindent), I ifdef out it for
> now.
>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
>
> From: Tatsuo Ishii <ishii at sraoss.co.jp>
> Subject: [pgpool-committers: 5052] Re: pgpool: Feature: Add SCRAM and
> Certificate authentication support
> Date: Fri, 17 Aug 2018 09:38:08 +0900 (JST)
> Message-ID: <20180817.093808.2104436097708702867.t-ishii at sraoss.co.jp>
>
> > Usama,
> >
> > In this commit I see below in main/main.c:
> >
> > //#ifdef USE_SSL
> > // /* global ssl init */
> > //#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined
> (LIBRESSL_VERSION_NUMBER))
> > // OPENSSL_init_ssl(0, NULL);
> > //#else
> > // SSL_library_init();
> > //#endif
> > // SSL_load_error_strings();
> > //#endif /* USE_SSL */
> >
> > Can we remove the code safely or are you still working on this part?
> >
> > Best regards,
> > --
> > Tatsuo Ishii
> > SRA OSS, Inc. Japan
> > English: http://www.sraoss.co.jp/index_en.php
> > Japanese:http://www.sraoss.co.jp
> >
> > From: Muhammad Usama <m.usama at gmail.com>
> > Subject: [pgpool-committers: 5051] pgpool: Feature: Add SCRAM and
> Certificate authentication support
> > Date: Thu, 16 Aug 2018 16:45:03 +0000
> > Message-ID: <E1fqLOR-0002Yf-AY at gothos.postgresql.org>
> >
> >> Feature: Add SCRAM and Certificate authentication support
> >>
> >> New feature to add scram and cert authentication method support in
> Pgpool-II.
> >> Apart from supporting the new authentication methods the commit also
> includes
> >> the following enhancements and changes in the authentication framework
> >> of Pgpool-II
> >>
> >> Different auth methods for frontend and backend for user session
> >> ================================================================
> >> Now it possible to use different authentication method for client
> >> application and backend PostgreSQL servers.
> >> For example, a client application can use scram-sha-256 to connect to
> Pgpool-II
> >> which in turn can use trust or md5 authentication to connect to
> >> PostgreSQL backend for the same session.
> >>
> >> Use MD5 and SCRAM without pool_passwd
> >> =====================================
> >> New configuration parameter allow_clear_text_frontend_auth, enables the
> Pgpool-II
> >> to use clear-text-password authentication with frontend clients when
> pool_passwd
> >> file does not contains the password for the connecting user.
> >> For example: suppose PostgreSQL servers has a user named "some_user"
> which can
> >> connect to database using SCRAM authentication, Now for this
> "some_user" to
> >> connect to PostgreSQL using SCRAM through Pgpool-II we must have the
> some_user's
> >> password stored in the pool_passwd file, but if in some case when
> pool_passwd does
> >> not have the entry of "some_user" and allow_clear_text_frontend_auth is
> enabled
> >> in the pgpool.conf then Pgpool-II will ask the connecting frontend to
> use
> >> clear-text-password auth method for authentication, and after receiving
> the
> >> password from the client, Pgpool-II will use that password to
> authenticate with
> >> backend using the required SCRAM auth.
> >>
> >> Note: allow_clear_text_frontend_auth only works when pool_hba.conf is
> not enabled.
> >>
> >> Encrypted passwords in pool_passwd file
> >> =======================================
> >> Since the SCRAM authentication method explicitly guards against the
> >> man-in-middle type attacks, so to use such authentication methods
> Pgpool-II
> >> requires the PostgreSQL user password to authenticate with the backend.
> >> But as storing the clear text password in the "pool_passwd" file is
> never a good
> >> idea, so now you can store the AES256-CBC encrypted password in the
> "pool_passwd".
> >> To store the AES encrypted password in the "pool_passwd" the password
> is first
> >> encrypted using the AES256 encryption with the user provided key and
> then the
> >> encrypted password is base64 encoded and AES prefix is added to
> >> the encoded string.
> >>
> >> New pg_enc utility to create encrypted passwords
> >> ================================================
> >> A new utility pg_enc is added to create AES encrypted passwords. The
> utility
> >> works similar in most ways as pg_md5 utility, with a some small
> differences,
> >> pg_enc also requires the key for encrypting the password entries. later
> that
> >> same key is required by Pgpool-II to decrypt the passwords to be used
> for
> >> authentication.
> >>
> >> Note: Pgpool-II must be build with ssl (--with-openssl) support to use
> >> this encrypted password feature.
> >>
> >> Providing encryption key to Pgpool-II
> >> =====================================
> >> If you have AES encrypted passwords stored in the pool_passwd file, then
> >> Pgpool-II will require the decryption key to decrypt the passwords
> before
> >> using them, Pgpool-II tries to read the decryption key at startup from
> >> the pgpoolkey file.
> >> By default the Pgpool-II will look for the pgpoolkey file in user's home
> >> directory or the file referenced by environment variable PGPOOLKEYFILE.
> >> You can also specify the key file using the (-k, --key-file=KEY_FILE)
> >> command line argument to the Pgpool-II binary.
> >>
> >> Encrypted Passwords in pgpool.conf
> >> ==================================
> >> The commit also allows to specify the AES encrypted password in the
> pgpool.conf
> >> file for healh_check_user, sr_check_user, wd_lifecheck_user and
> recovery_user
> >> users, Additionally if the password field for any of these users is
> left blank
> >> in pgpool conf then Pgpool-II will first try to get the password for
> that user
> >> from pool_passwd file before using the empty password for the
> connection.
> >> So now pgpool.conf can be made password free and single pool_passwd
> file can be
> >> used to store all passwords for internal and external user connection
> >>
> >> Documentation updates and regression test cases for the
> >> feature are also part of the commit.
> >> Thanks to jesperpedersen <jesper.pedersen at redhat.com> for helping
> >> in documentation and testing for the feature
> >>
> >> Branch
> >> ------
> >> master
> >>
> >> Details
> >> -------
> >>
> https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=26446126f36dcd34ea9032ac934aafe63acc0eee
> >>
> >> Modified Files
> >> --------------
> >> Makefile.in | 43 +-
> >> aclocal.m4 | 203 +-
> >> configure | 261 +--
> >> configure.ac | 2 +-
> >> doc.ja/Makefile.in | 24 +-
> >> doc.ja/src/Makefile.in | 24 +-
> >> doc.ja/src/sgml/Makefile.in | 24 +-
> >> doc/Makefile.in | 24 +-
> >> doc/src/Makefile.in | 24 +-
> >> doc/src/sgml/Makefile.in | 24 +-
> >> doc/src/sgml/client-auth.sgml | 231 +-
> >> doc/src/sgml/connection-settings.sgml | 32 +
> >> doc/src/sgml/healthcheck.sgml | 23 +
> >> doc/src/sgml/online-recovery.sgml | 24 +
> >> doc/src/sgml/ref/allfiles.sgml | 1 +
> >> doc/src/sgml/ref/pg_enc.sgml | 165 ++
> >> doc/src/sgml/reference.sgml | 1 +
> >> doc/src/sgml/stream-check.sgml | 23 +
> >> doc/src/sgml/watchdog.sgml | 27 +-
> >> src/Makefile.am | 5 +
> >> src/Makefile.in | 45 +-
> >> src/auth/auth-scram.c | 1653 ++++++++++++++
> >> src/auth/pool_auth.c | 1674 +++++++++++---
> >> src/auth/pool_hba.c | 87 +-
> >> src/auth/pool_passwd.c | 377 +++-
> >> src/config/pool_config_variables.c | 9 +
> >> src/include/Makefile.in | 29 +-
> >> src/include/auth/md5.h | 1 -
> >> src/include/auth/pool_hba.h | 10 +-
> >> src/include/auth/pool_passwd.h | 43 +-
> >> src/include/auth/scram-common.h | 93 +
> >> src/include/auth/scram.h | 65 +
> >> src/include/config.h.in | 3 +
> >> src/include/pool.h | 21 +-
> >> src/include/pool_config.h | 8 +-
> >> src/include/pool_type.h | 13 +-
> >> src/include/utils/base64.h | 19 +
> >> src/include/utils/sha2.h | 116 +
> >> src/include/utils/ssl_utils.h | 34 +
> >> src/include/watchdog/wd_utils.h | 7 +-
> >> src/libs/Makefile.in | 24 +-
> >> src/libs/pcp/Makefile.in | 25 +-
> >> src/main/health_check.c | 8 +-
> >> src/main/main.c | 86 +-
> >> src/main/pgpool_main.c | 16 +-
> >> src/parser/Makefile.in | 25 +-
> >> src/pcp_con/recovery.c | 27 +-
> >> src/protocol/child.c | 227 +-
> >> src/sample/pgpool.conf.sample | 20 +-
> >> src/sample/pgpool.conf.sample-logical | 18 +-
> >> src/sample/pgpool.conf.sample-master-slave | 17 +
> >> src/sample/pgpool.conf.sample-replication | 17 +
> >> src/sample/pgpool.conf.sample-stream | 16 +
> >> src/sample/pool_hba.conf.sample | 4 +-
> >> src/streaming_replication/pool_worker_child.c | 10 +-
> >> src/test/pgpool_setup | 34 +-
> >> .../020.allow_clear_text_frontend_auth/test.sh | 104 +
> >> .../tests/021.pool_passwd_auth/pool_hba.conf | 71 +
> >> .../regression/tests/021.pool_passwd_auth/test.sh | 111 +
> >> .../022.pool_passwd_alternative_auth/pool_hba.conf | 71 +
> >> .../tests/022.pool_passwd_alternative_auth/test.sh | 112 +
> >> src/tools/Makefile.am | 2 +-
> >> src/tools/Makefile.in | 27 +-
> >> src/tools/pcp/Makefile.in | 24 +-
> >> src/tools/pgenc/Makefile.am | 54 +
> >> src/tools/pgenc/Makefile.in | 687 ++++++
> >> src/tools/pgenc/pg_enc.c | 449 ++++
> >> src/tools/pgmd5/Makefile.in | 24 +-
> >> src/tools/pgmd5/pool_config.c | 2318
> +-------------------
> >> src/utils/base64.c | 196 ++
> >> src/utils/pool_process_reporting.c | 5 +
> >> src/utils/pool_ssl.c | 350 ++-
> >> src/utils/scram-common.c | 238 ++
> >> src/utils/sha2.c | 999 +++++++++
> >> src/utils/ssl_utils.c | 248 +++
> >> src/watchdog/Makefile.in | 24 +-
> >> src/watchdog/watchdog.c | 1 +
> >> src/watchdog/wd_json_data.c | 3 +
> >> src/watchdog/wd_lifecheck.c | 8 +-
> >> src/watchdog/wd_utils.c | 32 +-
> >> 80 files changed, 8747 insertions(+), 3477 deletions(-)
> >>
> > _______________________________________________
> > pgpool-committers mailing list
> > pgpool-committers at pgpool.net
> > http://www.pgpool.net/mailman/listinfo/pgpool-committers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-committers/attachments/20180817/c1a2be4c/attachment-0001.html>
More information about the pgpool-committers
mailing list