| From: | Chris Travers <chris(at)metatrontech(dot)com> |
|---|---|
| To: | Andrew Sullivan <ajs(at)crankycanuck(dot)ca> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: PGPool and replication enforcement On "multi-master" |
| Date: | 2005-10-18 19:53:49 |
| Message-ID: | 435552CD.6060501@metatrontech.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Andrew Sullivan wrote:
>On Sat, Oct 15, 2005 at 06:04:54PM -0700, Chris Travers wrote:
>
>
>>Out of curiosity, what is wrong with requiring client SSL certs to
>>access the system and only issuing them to the PGPool system (or using a
>>different CA if you need to issue client certs to the end users)? This
>>
>>
>
>Hmm, I like this, although client SSL certs still didn't work with
>JDBC last I checked, so it won't solve all the problems. But you're
>right, this would mostly solve the problem I was thinking of,
>provided it was described correctly to the (mostly-clueless)
>technology rule-producers.
>
Oops. I guess PgPool doesn't support SSL connections to backend
servers. Too bad :-( This would have been a really nice elegant
solution to this problem. It looks like PgCluster may support SSL, I am
not sure.... The problem is that one needs some way of authenticating
the client not just the user. SSL would work for that.
I can't think of any other way to authenticate the client while still
allowing one to authenticate the user afterwards... And I doubt that it
is possible to use Kerberos to authenticate the daemon as well as the
end user...
Best Wishes,
Chris Travers
Metatron Technology Consulting
| Attachment | Content-Type | Size |
|---|---|---|
| chris.vcf | text/x-vcard | 127 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Travers | 2005-10-18 20:07:51 | Re: [GENERAL] Oracle buys Innobase |
| Previous Message | Tadimeti, Kesav | 2005-10-18 18:32:17 | postgresql8.0.3/FreeBSD5.4/MIT or HEIMDAL KRB5 |