client auth docs seem to have devolved
While following an old link to
https://www.postgresql.org/docs/10/auth-methods.html
I see a list of links to authentication methods. However:
When I hit the current version
https://www.postgresql.org/docs/current/auth-methods.html
There are absolutely no links...
Dave Cramer
On Tue, Dec 17, 2019 at 12:43 PM Dave Cramer <davecramer@gmail.com> wrote:
While following an old link to
https://www.postgresql.org/docs/10/auth-methods.htmlI see a list of links to authentication methods. However:
When I hit the current version
https://www.postgresql.org/docs/current/auth-methods.htmlThere are absolutely no links...
That's because the structure of the docs changed. You need to hit "up",
which will take you to
https://www.postgresql.org/docs/current/client-authentication.html, which
now has the list of links. Note how the different methods used to be
20.3.x, and are now directly listed as 20.y.
I'm unsure if that was intentional in the upstream docs, but that's what
makes the website behave like it does.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
On Tue, 17 Dec 2019 at 06:53, Magnus Hagander <magnus@hagander.net> wrote:
On Tue, Dec 17, 2019 at 12:43 PM Dave Cramer <davecramer@gmail.com> wrote:
While following an old link to
https://www.postgresql.org/docs/10/auth-methods.htmlI see a list of links to authentication methods. However:
When I hit the current version
https://www.postgresql.org/docs/current/auth-methods.htmlThere are absolutely no links...
That's because the structure of the docs changed. You need to hit "up",
which will take you to
https://www.postgresql.org/docs/current/client-authentication.html, which
now has the list of links. Note how the different methods used to be
20.3.x, and are now directly listed as 20.y.I'm unsure if that was intentional in the upstream docs, but that's what
makes the website behave like it does.
Fair enough but
20.3. Authentication Methods
The following sections describe the authentication methods in more detail.
certainly is misleading.
Thanks,
Dave
Show quoted text
On Tue, Dec 17, 2019 at 1:02 PM Dave Cramer <davecramer@gmail.com> wrote:
On Tue, 17 Dec 2019 at 06:53, Magnus Hagander <magnus@hagander.net> wrote:
On Tue, Dec 17, 2019 at 12:43 PM Dave Cramer <davecramer@gmail.com>
wrote:While following an old link to
https://www.postgresql.org/docs/10/auth-methods.htmlI see a list of links to authentication methods. However:
When I hit the current version
https://www.postgresql.org/docs/current/auth-methods.htmlThere are absolutely no links...
That's because the structure of the docs changed. You need to hit "up",
which will take you to
https://www.postgresql.org/docs/current/client-authentication.html,
which now has the list of links. Note how the different methods used to be
20.3.x, and are now directly listed as 20.y.I'm unsure if that was intentional in the upstream docs, but that's what
makes the website behave like it does.Fair enough but
20.3. Authentication Methods
The following sections describe the authentication methods in more detail.certainly is misleading.
This was changed by Peter in
commit 56811e57323faa453947eb82f007e323a952e1a1 along with the
restructuring. It used to say "the following subsections". So techically I
think that change is correct, but that doesn't necessarily make it helpful.
But based on how it actually renders, since that section doesn't contain
any actual useful info, we should perhaps just remove section 20.3
completely. Peter, thoughts?
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
Magnus Hagander <magnus@hagander.net> writes:
This was changed by Peter in
commit 56811e57323faa453947eb82f007e323a952e1a1 along with the
restructuring. It used to say "the following subsections". So techically I
think that change is correct, but that doesn't necessarily make it helpful.
But based on how it actually renders, since that section doesn't contain
any actual useful info, we should perhaps just remove section 20.3
completely. Peter, thoughts?
Then, URLs pointing to that page (such as Dave evidently has bookmarked)
would break entirely, which doesn't seem like an improvement.
I suggest changing the sect1's contents to be a list of available auth
methods, linked to their subsections. That would provide approximately
the same quality-of-use as the subsection TOC that used to be there.
regards, tom lane
Then, URLs pointing to that page (such as Dave evidently has bookmarked)
would break entirely, which doesn't seem like an improvement.
it was linked to in a bug report.
Dave Cramer
On Tue, Dec 17, 2019 at 5:01 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Magnus Hagander <magnus@hagander.net> writes:
This was changed by Peter in
commit 56811e57323faa453947eb82f007e323a952e1a1 along with the
restructuring. It used to say "the following subsections". So techicallyI
think that change is correct, but that doesn't necessarily make it
helpful.
But based on how it actually renders, since that section doesn't contain
any actual useful info, we should perhaps just remove section 20.3
completely. Peter, thoughts?Then, URLs pointing to that page (such as Dave evidently has bookmarked)
would break entirely, which doesn't seem like an improvement.
Ugh, that's a good point of course. Didn't think of that.
I suggest changing the sect1's contents to be a list of available auth
methods, linked to their subsections. That would provide approximately
the same quality-of-use as the subsection TOC that used to be there.
Yeah, that sounds better. Is there some docbook magic that can do that for
us?
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
Magnus Hagander <magnus@hagander.net> writes:
On Tue, Dec 17, 2019 at 5:01 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
I suggest changing the sect1's contents to be a list of available auth
methods, linked to their subsections. That would provide approximately
the same quality-of-use as the subsection TOC that used to be there.
Yeah, that sounds better. Is there some docbook magic that can do that for
us?
I was just intending to do it the hard way, since even if such magic
exists, it'd probably only regurgitate the section titles. It seems
more useful to allow for some descriptive text along with that.
(Not a lot, but maybe a full sentence for each one.)
regards, tom lane
I wrote:
Magnus Hagander <magnus@hagander.net> writes:
This was changed by Peter in
commit 56811e57323faa453947eb82f007e323a952e1a1 along with the
restructuring. It used to say "the following subsections". So techically I
think that change is correct, but that doesn't necessarily make it helpful.
But based on how it actually renders, since that section doesn't contain
any actual useful info, we should perhaps just remove section 20.3
completely. Peter, thoughts?
Then, URLs pointing to that page (such as Dave evidently has bookmarked)
would break entirely, which doesn't seem like an improvement.
Also, our docs' own internal links to that section would break --- there
are built-in assumptions that there's one pointable-to place that explains
all the auth methods.
I suggest changing the sect1's contents to be a list of available auth
methods, linked to their subsections. That would provide approximately
the same quality-of-use as the subsection TOC that used to be there.
Concretely, I propose the attached. Anybody want to editorialize on
my short descriptions of the auth methods?
regards, tom lane
Attachments:
provide-summary-of-auth-methods-1.patchtext/x-diff; charset=us-ascii; name=provide-summary-of-auth-methods-1.patchDownload
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 36e5a5d..6af1cf5 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -911,8 +911,103 @@ omicron bryanh guest1
<sect1 id="auth-methods">
<title>Authentication Methods</title>
+
+ <para>
+ <productname>PostgreSQL</productname> provides various methods for
+ authenticating users:
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ <link linkend="auth-trust">Trust authentication</link>, which
+ simply trusts that users are who they say they are.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-password">Password authentication</link>, which
+ requires that the user send a password.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="gssapi-auth">GSSAPI authentication</link>, which
+ relies on a GSSAPI-compatible security library; typically this is
+ used to access an authentication server such as a Kerberos or
+ Microsoft Active Directory server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="sspi-auth">SSPI authentication</link>, which
+ uses a Windows-specific protocol similar to GSSAPI.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-ident">Ident authentication</link>, which
+ relies on an <quote>Identification Protocol</quote> (RFC 1413)
+ service on the client's machine. (On local Unix-socket connections,
+ this is treated as peer authentication.)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-peer">Peer authentication</link>, which
+ relies on operating system facilities to identify the process at the
+ other end of a local connection. This is not supported for remote
+ connections.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-ldap">LDAP authentication</link>, which
+ relies on an LDAP authentication server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-radius">RADIUS authentication</link>, which
+ relies on a RADIUS authentication server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-cert">Certificate authentication</link>, which
+ requires an SSL connection and authenticates users by checking the
+ SSL certificate they send.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-pam">PAM authentication</link>, which
+ relies on a PAM (Pluggable Authentication Modules) library.
+ In most configurations this ends up being a variant of password
+ authentication.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-bsd">BSD authentication</link>, which
+ relies on the BSD Authentication framework (currently available
+ only on OpenBSD).
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+
+ <para>
+ Peer authentication is usually recommendable for local connections,
+ though trust authentication might be sufficient in some circumstances.
+ Password authentication is the easiest choice for remote connections;
+ all the other options require some sort of external security
+ infrastructure, usually an authentication server or a certificate
+ authority for issuing SSL certificates.
+ </para>
+
<para>
- The following sections describe the authentication methods in more detail.
+ The following sections describe each of these authentication methods
+ in more detail.
</para>
</sect1>
I wrote:
Concretely, I propose the attached. Anybody want to editorialize on
my short descriptions of the auth methods?
Pushed after a bit more fiddling with the wording.
regards, tom lane
On 2019-Dec-19, Tom Lane wrote:
I wrote:
Concretely, I propose the attached. Anybody want to editorialize on
my short descriptions of the auth methods?Pushed after a bit more fiddling with the wording.
Looks good, thanks.
--
�lvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services