Hi all.
I've come up with a proof-of-concept patch using the delegation/proxy approach.
Let's say we have two DB, one for FDW and one for the real server. When client
connects to FDW server using kerberos authentication, we can obtain a "proxy"
credential and store it in the global variable "MyPr
Greetings,
* Magnus Hagander (mag...@hagander.net) wrote:
> On Mon, Jul 12, 2021 at 5:43 AM Peifeng Qiu wrote:
> > >As you note, this'd have to be restricted to superusers, which makes it
> > >seem like a pretty bad idea. We really don't want to be in a situation
> > >of pushing people to run da
>But in this case, what dose Kerberos give over just using a password
>based solution? It adds complexity, but what's teh actual gain?
That's due to policy of some customers. They require all login to be kerberos
based and password-less. I suppose this way they don't need to maintain
passwords in
On Mon, Jul 12, 2021 at 5:43 AM Peifeng Qiu wrote:
>
> >As you note, this'd have to be restricted to superusers, which makes it
> >seem like a pretty bad idea. We really don't want to be in a situation
> >of pushing people to run day-to-day stuff as superuser. Yeah, having
> >access to kerberos
>As you note, this'd have to be restricted to superusers, which makes it
>seem like a pretty bad idea. We really don't want to be in a situation
>of pushing people to run day-to-day stuff as superuser. Yeah, having
>access to kerberos auth sounds good on the surface, but it seems like
>it would b
Sorry I have sent a duplicate email. I will first continue discussion
in the other thread and then submit it after we have a conclusion.
Thanks.
Peifeng
On Fri, Jul 9, 2021 at 3:49 PM Tom Lane wrote:
>
> Peifeng Qiu writes:
> > I'd like to add kerberos authentication support for postgres_fdw by adding
> > two
> > options to user mapping: krb_client_keyfile and gssencmode.
>
> As you note, this'd have to be restricted to superusers, which makes i
On Fri, Jul 09, 2021 at 10:13:20AM +, Peifeng Qiu wrote:
> I'd like to add kerberos authentication support for postgres_fdw by adding two
> options to user mapping: krb_client_keyfile and gssencmode.
You may want to register this patch into the next commit fest, to get
it reviewed for a potent
Peifeng Qiu writes:
> I'd like to add kerberos authentication support for postgres_fdw by adding two
> options to user mapping: krb_client_keyfile and gssencmode.
As you note, this'd have to be restricted to superusers, which makes it
seem like a pretty bad idea. We really don't want to be in a
