Re: Connect as multiple users using single client certificate
| От | Kyle Bateman |
|---|---|
| Тема | Re: Connect as multiple users using single client certificate |
| Дата | |
| Msg-id | 109b2b82-1604-87d5-f361-14068835362d@batemans.org обсуждение исходный текст |
| Ответ на | Re: Connect as multiple users using single client certificate (Andrew Dunstan <andrew.dunstan@2ndquadrant.com>) |
| Ответы |
Re: Connect as multiple users using single client certificate
|
| Список | pgsql-hackers |
On 10/11/19 12:12 PM, Andrew Dunstan wrote: > On 10/11/19 1:58 PM, Kyle Bateman wrote: >> I have some JS middleware that needs to securely connect to the >> postgresql back end. Any number of different users may connect via >> websocket to this middleware to manage their connection to the >> database. I want the JS process to have a client certificate >> authorizing it to connect to the database. >> >> I have this line in my pg_hba.conf: >> >> hostssl all +users all cert >> >> So the idea is, I should be able to connect as any user that is a >> member of the role "users." >> >> Under this configuration, I can currently connect as the user "users" >> but not as "joe" who is a member of the role "users." I get: >> >> FATAL: certificate authentication failed for user "joe" >> >> This makes sense as the commonName on the certificate is "users" and >> not "joe." But the documentation for pg_hba.conf states that >> prefixing the username with a "+" should allow me to connect as any >> role who is a member of the stated role. >> >> Is there a way to do this via client certificate authorization? I >> have no way of knowing the specific usernames ahead of time, as new >> users may be created in the database (thousands) and I can't really be >> creating separate certificates for every different user. >> >> > > I think the short answer is: No. The client certificate should match the > username and nothing else. If you don't want to generate certificates > for all your users I suggest using some other form of auth (e.g. > scram-sha-256). > > > The long answer is that you can use maps, but it's probably not a good > idea. e.g. you have a map allowing foo to connect as both bar and baz, > and give both bar and baz a certificate with a CN of foo. But then bar > can connect as baz and vice versa, which isn't a good thing. > > > cheers > > > andrew > > Hmmm, too bad. It would be nice to be able to generate a certificate, say with a commonName of "+users" (or some other setting) which matches what is specified in pg_hba.conf, allowing connections from anyone within the specified group. Seems like that is the intent of the "+" syntax in the first place. In my case, the middleware is validating end-users using distributed keys, so no username/passwords are needed. I was hoping to avoid all that and just rely on SSL. Any idea if this is a viable feature enhancement? Kyle Kyle
В списке pgsql-hackers по дате отправления: