| From: | Jacob Champion <pchampion(at)vmware(dot)com> |
|---|---|
| To: | "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net> |
| Cc: | "magnus(at)hagander(dot)net" <magnus(at)hagander(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Proposal: Save user's original authenticated identity for logging |
| Date: | 2021-02-02 00:16:47 |
| Message-ID: | 90b476785eb6b2744a578ff47db5b4b7949dd11b.camel@vmware.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 2021-02-01 at 18:40 -0500, Stephen Frost wrote:
> * Jacob Champion (pchampion(at)vmware(dot)com) wrote:
> > My goal is to get this one single point of reference, for all of the
> > auth backends. The LDAP mapping conversation is separate.
>
> Presumably this would be the DN for SSL then..? Not just the CN?
Correct.
> How would the issuer DN be included? And the serial?
In the current proposal, they're not. Seems like only the Subject
should be considered when determining the "identity of the user" --
knowing the issuer or the certificate fingerprint might be useful in
general, and perhaps they should be logged somewhere, but they're not
part of the user's identity.
If there were a feature that considered the issuer or serial number
when making role mappings, I think it'd be easier to make a case for
that. As of right now I don't think they should be incorporated into
this *particular* identifier.
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jacob Champion | 2021-02-02 00:42:23 | Re: Support for NSS as a libpq TLS backend |
| Previous Message | Zhihong Yu | 2021-02-02 00:04:11 | Re: Determine parallel-safety of partition relations for Inserts |