Re: Support kerberos authentication for postgres_fdw

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Peifeng Qiu <peifengq(at)vmware(dot)com>
Cc: "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Support kerberos authentication for postgres_fdw
Date: 2021-07-09 13:49:40
Message-ID: 2092292.1625838580@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Peifeng Qiu <peifengq(at)vmware(dot)com> writes:
> I'd like to add kerberos authentication support for postgres_fdw by adding two
> options to user mapping: krb_client_keyfile and gssencmode.

As you note, this'd have to be restricted to superusers, which makes it
seem like a pretty bad idea. We really don't want to be in a situation
of pushing people to run day-to-day stuff as superuser. Yeah, having
access to kerberos auth sounds good on the surface, but it seems like
it would be a net loss in security because of that.

Is there some other way?

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Amul Sul 2021-07-09 13:52:53 Re: [CLOBBER_CACHE]Server crashed with segfault 11 while executing clusterdb
Previous Message Masahiko Sawada 2021-07-09 13:44:54 Re: Transactions involving multiple postgres foreign servers, take 2