| From: | samay sharma <smilingsamay(at)gmail(dot)com> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Proposal: Support custom authentication methods using hooks |
| Date: | 2022-02-17 19:25:50 |
| Message-ID: | CAJxrbyxTRn5P8J-p+wHLwFahK5y56PhK28VOb55jqMO05Y-DJw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi all,
I wanted to submit a patch to expose 2 new hooks (one for the
authentication check and another one for error reporting) in auth.c. These
will allow users to implement their own authentication methods for Postgres
or add custom logic around authentication.
A use case where this is useful are environments where you want
authentication to be centrally managed across different services. This is a
common deployment model for cloud providers where customers like to use
single sign on and authenticate across different services including
Postgres. Implementing this now is tricky as it requires syncing that
authentication method's credentials with Postgres (and that gets trickier
with TTL/expiry etc.). With these hooks, you can implement an extension to
check credentials directly using the authentication provider's APIs.
To enable this, I've proposed adding a new authentication method "custom"
which can be specified in pg_hba.conf and takes a mandatory argument
"provider" specifying which authentication provider to use. I've also moved
a couple static functions to headers so that extensions can call them.
Sample pg_hba.conf line to use a custom provider:
host all all ::1/128 custom
provider=test
As an example and a test case, I've added an extension named
test_auth_provider in src/test/modules which fetches credentials from
a pre-defined array. I've also added tap tests for the extension to test
this functionality.
One constraint in the current implementation is that we allow only one
authentication provider to be loaded at a time. In the future, we can add
more functionality to maintain an array of hooks and call the appropriate
one based on the provider name in the pg_hba line.
A couple of my tests are flaky and sometimes fail in CI. I think the reason
for that is I don't wait for pg_hba reload to be processed before checking
logs for error messages. I didn't find an immediate way to address that and
I'm looking into it but wanted to get an initial version out for
feedback on the approach taken and interfaces. Once those get finalized, I
can submit a patch to add docs as well.
Looking forward to your feedback.
Regards,
Samay
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Add-support-for-custom-authentication-methods.patch | application/octet-stream | 10.7 KB |
| 0002-Add-sample-extension-to-test-custom-auth-provider-ho.patch | application/octet-stream | 3.6 KB |
| 0003-Add-tests-for-test_auth_provider-extension.patch | application/octet-stream | 6.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2022-02-17 19:27:09 | Re: [Proposal] Fully WAL logged CREATE DATABASE - No Checkpoints |
| Previous Message | Jacob Champion | 2022-02-17 19:15:57 | Re: [PATCH] Support pg_ident mapping for LDAP |