Re: Proposal: Support custom authentication methods using hooks

From: Andres Freund <andres(at)anarazel(dot)de>
To: Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>
Cc: samay sharma <smilingsamay(at)gmail(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject: Re: Proposal: Support custom authentication methods using hooks
Date: 2022-03-02 20:09:42
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers


On 2022-03-02 09:32:26 +0100, Peter Eisentraut wrote:
> On 01.03.22 22:34, Andres Freund wrote:
> > The cases I've heard about are about centralizing auth across multiple cloud
> > services. Including secret management in some form. E.g. allowing an
> > application to auth to postgres, redis and having the secret provided by
> > infrastructure, rather than having to hardcode it in config or such.
> >
> > I can't see application developers configuring kerberos and I don't think
> > LDAP, PAM, Radius are a great answer either, due to the plaintext requirement
> > alone? LDAP is pretty clearly dying technology, PAM is fragile complicated C
> > stuff that's not portable across OSs. Radius is probably the most realistic,
> > but at least as implemented doesn't seem flexible enough (e.g. no access to
> > group memberships etc).
> >
> > Nor does baking stuff like that in seem realistic to me, it'll presumably be
> > too cloud provider specific.
> Let's gather some more information on this. PostgreSQL should support the
> authentication that many people want to use out of the box. I don't think
> it would be good to be at a point where all the built-in methods are
> outdated and if you want to use the good stuff you have to hunt for plugins.
> The number of different cloud APIs is effectively small. I expect that
> there are a lot of similarities, like they probably all need support for
> http calls, they might need support for caching lookups, etc. OIDC was
> mentioned elsewhere. That's a standard. Is that compatible with any cloud
> providers? Would that be enough for many users?

I'm not opposed to putting something into the source tree eventually, if we
can figure out an overlapping set of capabilities that's useful enough. But I
don't see that as a reason to not make auth extensible? If anything, the
contrary - it's going to be much easier to figure out what this should look
like if it can be iteratively worked on with unmodified postgres.

Even if we were to put something in core, it seems that contrib/ would be a
better place than auth.c for something like it.

I think we should consider moving pam, ldap, radius to contrib
eventually. That way we'd not need to entirely remove them, but a "default"
postgres wouldn't have support for auth methods requiring plaintext secret


Andres Freund

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Mark Wong 2022-03-02 20:12:01 Re: trigger example for plsample
Previous Message Andres Freund 2022-03-02 20:00:09 Re: wrong fds used for refilenodes after pg_upgrade relfilenode changes Reply-To: