Re: Allow root ownership of client certificate key

Stephen Frost <sfrost@snowman.net>

From: Stephen Frost <sfrost@snowman.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: David Steele <david@pgmasters.net>, PostgreSQL Developers <pgsql-hackers@lists.postgresql.org>
Date: 2022-03-01T00:31:53Z
Lists: pgsql-hackers
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> David Steele <david@pgmasters.net> writes:
> > Any thoughts on back-patching at least the client portion of this? 
> > Probably hard to argue that it's a bug, but it is certainly painful.
> 
> I'd be more eager to do that if we had some field complaints
> about it.  Since we don't, my inclination is not to, but I'm
> only -0.1 or so; anybody else want to vote?

This patch was specifically developed in response to field complaints
about it working differently, so there's that.  Currently it's being
worked around in the container environments by copying the key from the
secret that's provided to a temporary space where we can modify the
privileges, but that's pretty terrible.  Would be great to be able to
get rid of that in favor of being able to use it directly.

Thanks,

Stephen

Commits

  1. Allow root-owned SSL private keys in libpq, not only the backend.

  2. Doc: update libpq.sgml for root-owned SSL private keys.