pgwire,auth: support pg's auth username maps #47196
Assignees
Labels
A-authentication
Pertains to authn subsystems
A-cc-enablement
Pertains to current CC production issues or short-term projects
A-security
A-sql-pgwire
pgwire protocol issues.
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
T-server-and-security
DB Server & Security
X-server-triaged-202105
Comments
knz
added
C-enhancement
This was referenced Jul 12, 2021
knz
added
A-authentication
craig bot
pushed a commit
that referenced
this issue
Nov 18, 2021
70269: pgwire: Add dynamic user identity mapping r=bobvawter a=bobvawter This commit adds support for mapping incoming system usernames (e.g.: GSSAPI principals, X.509 Common Names) to database usernames. The implementation follows in the same pattern as the HBA configuration. Namely, there is a new cluster setting server.identity_map.configuration which contains data compatible with the pg_ident.conf file. When a new connection is made, the relevant HBA configuration line is selected and the "map" option is used to select an identity-map ruleset. The system username is mapped to a database username and authentication proceeds against the database username. The default HBA configuration is updated to add a "map=cockroach-default" option. This allows users who are solely interested in providing system username mappings to install an identity-map without also needing to provide an HBA configuration. For pedantry's sake, the term "identity" is preferred over "username" within the code, since not all identities are necessarily what would be considered usernames. Fixes: #47196 Release note (security update): The server.identity_map.configuration cluster setting allows a pg_ident.conf file to be uploaded to support dynamically remapping system usernames (e.g.: Kerberos principals, X.509 Common Names) to database usernames. 72774: sql: improve a test r=andreimatei a=andreimatei This test was deadlocking on t.Fatal(). I've ran into this through #72769. Release note: None 72878: sem/tree: protect against double panic in EvalCtx.Stop r=andreimatei a=andreimatei Sometimes in tests EvalCtx.Stop() is called in a defer. When the defer runs because of a panic, it would likely panic again because its memory monitor is not empty. Release note: None Co-authored-by: Bob Vawter <bob@vawter.org> Co-authored-by: Andrei Matei <andrei@cockroachlabs.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In crdb 19.1, we have introduced support for PostgreSQL's (obsolete!)
include_realmoption for GSSAPI authentication, which maps Kerberos usernames to database usernames by stripping the realm suffix.In crdb 20.1, we have introduced
--cert-principal-mapto satisfy some Amazon IAM (ACM) UX issues.It turns out that PostgreSQL already has a common, uniform protocol to do this: https://www.postgresql.org/docs/12/auth-username-maps.html (we didn't know about this when we did the work for v19.1/v20.1).
How the pg thing would translate to crdb:
server.host_based_authentication.configurationto hold the equivalent of pg'spg_ident.confinclude_realmfor GSSAPI (like it is already deprecated in postgres) and replace it by uniform use of name mappings.The text was updated successfully, but these errors were encountered: