Commits on Jan 5, 2022

1. pgwire: Add dynamic user identity mapping …

   This commit adds support for mapping incoming system identities (e.g.: GSSAPI
   or X.509 principals) to database usernames. The implementation follows in the
   same pattern as the HBA configuration. Namely, there is a new cluster setting
   server.identity_map.configuration which contains data compatible with the
   pg_ident.conf file.
   
   When a new connection is made, the relevant HBA configuration line is selected
   and the "map" option is used to select an identity-map ruleset. The system
   identity is mapped to a database username and authentication proceeds using the
   HBA entry method.
   
   CockroachDB explicitly disallows the use of the "map" entry with the "password"
   HBA method. When using the "cert-password" method, an identity mapping is
   applied only for incoming connections that present a client certificate;
   password-based connections will not be subject to any identity remapping.
   
   The root user is never subject to identity remapping and cannot be locked out
   by a bad identity-map configuration. The effective HBA configuration always has
   a system-defined rule that matches the root user as the first rule. This
   baked-in rule does not contain a "map" option, thus bypassing the mapper code
   entirely.
   
   Users must already have access to the ADMIN role in order to change cluster
   settings, so this change does not, in and of itself, present
   privilege-escalation concerns. Futhermore, if the identity mapping results in
   the "root", "node", or other reserved usernames, an error will be returned to
   the client.
   
   For pedantry's sake, the term "identity" is preferred over "username" within
   the code, since not all identities are necessarily what would be considered
   usernames.
   
   Fixes: #47196
   
   See also: https://www.postgresql.org/docs/13/auth-username-maps.html
   
   Release note (security update): The server.identity_map.configuration cluster
   setting allows a pg_ident.conf file to be uploaded to support dynamically
   remapping system identities (e.g.: Kerberos or X.509 principals) to database
   usernames. This supports use-cases where X.509 certificates must conform to
   organizational standards that mandate the use of Common Names that are not
   valid SQL usernames (e.g.: CN=carl@example.com => carl). Mapping rules that
   result in the root, node, or other reserved usernames will result in an error
   when the client attempts to connect.
   
   Release note (security update): The client_authentication_info structured log
   message provides a new "SystemIdentity" field with the client-provided system
   identity. The existing "User" field will be populated after any Host-Based
   Authentication rules have been selected and applied, which may include a
   system-identity to database-username mapping.
   
   Release note (security update): GSSAPI-based authentication can now use either
   the HBA "map" option or "include_realm=0" to map the incoming princpal to a
   database username. Existing configurations will operate unchanged, however
   operators are encouraged to migrate from "include_realm=0" to "map" to avoid
   ambiguity in deployments where multiple realms are present.
   
   Release note (security update): Incoming system identities are normalized to
   lower-case before they are evaluated against any active identity-mapping HBA
   configuration. For example, an incoming GSSAPI principal "carl@EXAMPLE.COM"
   would only be matched by rules such as "example carl@example.com carl" or
   "example /^(.*)@example.com$ \1".

   

   bobvawter committed Jan 5, 2022
   Configuration menu

   • View commit details
   • Copy full SHA for 26fd1f6
   • Browse repository at this point

   Copy the full SHA

   26fd1f6 View commit details

   Browse the repository at this point in the history