| From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
|---|---|
| To: | Rob Sargent <robjsargent(at)gmail(dot)com>, "pgsql-generallists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: localhost ssl |
| Date: | 2021-01-22 22:33:16 |
| Message-ID: | 4665f2de-d2a2-4623-8c61-0f42c899e8a3@aklaver.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 1/22/21 1:11 PM, Rob Sargent wrote:
>
> Just prior to that quote is
> "The cn (Common Name) attribute of the certificate will be compared to
> the requested database user name, and if they match the login will be
> allowed."
> which leads to me to believe I would need a cert per role.
>
>> which leads to this:
>>
>> https://www.postgresql.org/docs/12/auth-username-maps.html
> I don't think the mapping tricks help me, but happy to be convinced
> otherwise.
Check out this section:
https://www.postgresql.org/docs/12/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
"... the cn (Common Name) in the certificate matches the user name or
an applicable mapping."
This section spells out what is needed for the various forms of client
cert SSL authentication.
>
> I have specific roles accessing specific schemas via sql which is not
> schema qualified.
>
I'm assuming this is some sort of security. Just wondering if there is
provision made for people who know how to do SET search_path or \dn or
schema qualify objects?
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Rob Sargent | 2021-01-22 22:48:22 | Re: localhost ssl |
| Previous Message | Rob Sargent | 2021-01-22 21:11:55 | Re: localhost ssl |