* Ian Pilcher (arequip...@gmail.com) wrote: > On 12/02/2013 02:29 PM, Andrew Dunstan wrote: > > Wouldn't that amount to only partially trusting the root? It seems kinda > > odd. In any case, It's not something I think Postgres needs to solve. > > I think that the fundamental problem is that authentication and > authorization are being conflated. From the OpenSSL point-of-view, it > is checking that the client certificate is valid (not expired, signed by > a trusted chain of CAs, etc.); i.e. it's only doing authentication.
Of course.
> PostgreSQL is trusting any client certificate that is validated by
> OpenSSL. It's essentially trusting OpenSSL to do both authentication
> and authorization, but OpenSSL isn't doing the latter.
That isn't at *all* accurate. Authorization is handled by pg_ident and
PG's role and grant system. We are only using OpenSSL's trust of the
certificate for authentication.
> Does PostgreSQL need to solve this? I don't know, but it certainly
> would be a nice capability to have -- if only to avoid the confusion
> that currently surrounds the issue.
I have no idea what you're getting at here.
Thanks,
Stephen
signature.asc
Description: Digital signature
