Support kerberos authentication for postgres_fdw
Hi hackers,
I'd like to add kerberos authentication support for postgres_fdw by adding two
options to user mapping: krb_client_keyfile and gssencmode.
In the backend we have krb_server_keyfile option to specify a keytab file to
be used by postgres server, krb_client_keyfile is doing mostly the same thing.
This allows postgres_fdw(backend process) to authenticate on behalf of a
logged in user who is querying the foreign table. The credential is kept in
the backend process memory instead of local file to prevent abuse by users
on the same host.
Because backend process is accessing the filesystem of the server host, this
option should only be manipulated by super user. Otherwise, normal user may
steal the identity or probe the server filesystem. This principal is the same to
sslcert and sslkey options in user mapping.
Thoughts?
Best regards,
Peifeng
Attachments:
v1-0001-kerberos-pgfdw.patchtext/x-patch; name=v1-0001-kerberos-pgfdw.patchDownload+615-1
On Fri, Jul 09, 2021 at 10:13:20AM +0000, Peifeng Qiu wrote:
I'd like to add kerberos authentication support for postgres_fdw by adding two
options to user mapping: krb_client_keyfile and gssencmode.
You may want to register this patch into the next commit fest, to get
it reviewed for a potential integration in 15:
https://commitfest.postgresql.org/34/
--
Michael