Kerberos delegation support in libpq and postgres_fdw
Peifeng Qiu <peifengq@vmware.com>
From: Peifeng Qiu <peifengq@vmware.com>
To: "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>, Magnus Hagander <magnus@hagander.net>, Stephen Frost <sfrost@snowman.net>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2021-07-20T03:05:48Z
Lists: pgsql-hackers
Attachments
- v1-0001-kerberos-delegation.patch (text/x-patch) patch v1-0001
Hi hackers. This is the patch to add kerberos delegation support in libpq, which enables postgres_fdw to connect to another server and authenticate as the same user to the current login user. This will obsolete my previous patch which requires keytab file to be present on the fdw server host. After the backend accepts the gssapi context, it may also get a proxy credential if permitted by policy. I previously made a hack to pass the pointer of proxy credential directly into libpq. It turns out that the correct way to do this is store/acquire using credential cache within local process memory to prevent leak. Because no password is needed when querying foreign table via kerberos delegation, the "password_required" option in user mapping must be set to false by a superuser. Other than this, it should work with normal user. I only tested it manually in a very simple configuration currently. I will go on to work with TAP tests for this. How do you feel about this patch? Any feature/security concerns about this? Best regards, Peifeng Qiu
Commits
-
Add support for Kerberos credential delegation
- 3d4fa227bce4 16.0 landed