Re: PG 14 release notes, first draft - Mailing list pgsql-hackers
| From | Justin Pryzby |
|---|---|
| Subject | Re: PG 14 release notes, first draft |
| Date | |
| Msg-id | 20210512150605.GR27406@telsasoft.com Whole thread Raw |
| In response to | Re: PG 14 release notes, first draft (Bruce Momjian <bruce@momjian.us>) |
| Responses |
Re: PG 14 release notes, first draft
|
| List | pgsql-hackers |
On Tue, May 11, 2021 at 10:45:04PM -0400, Bruce Momjian wrote: > On Tue, May 11, 2021 at 05:13:21PM -0500, Justin Pryzby wrote: > > On Tue, May 11, 2021 at 10:35:23AM -0400, Bruce Momjian wrote: > > > > | Allow more than the common name (CN) to be matched for client certificate authentication (Andrew Dunstan) > > > > Your description makes it sound like arbitrary attributes can be compared. But > > > > the option just allows comparing CN or DN. > > > > > > OK, new text is: > > > > > > <para> > > > Allow the certificate's distinguished name (DN) to be matched for client > > > certificate authentication (Andrew Dunstan) > > > </para> > > > > > > <para> > > > The new pg_hba.conf keyword "clientname=DN" allows comparison with > > > non-CN certificate attributes and can be combined with ident maps. > > > </para> > > > </listitem> > > > > I think this part is still misleading. The option just allows DN/CN, so it's > > strange to say "non-CN attributes". > > OK, so this is where I am confused. I searched for distinguished name > (DN) and came up with DN being a concatentation of all the fields > provided to the certificate signing request (CSR). Is that right? > Wouldn't people test _parts_ of the DN, rather than all of it. +Andrew The full DN is probably not the postgres username, so the docs suggest that: | This option is probably best used in conjunction with a username map. You're right that clientname=DN allows testing *parts*, of the DN, but I don't know if there's any reason to believe that's the typical use case. The primary utility of clientname=DN seems to be that the CN alone is (or can be) ambiguous - matching on the full DN is intended to resolve that. I think the release notes should focus on this. Matching parts of the DN (other than the CN) seems like a 2ndary use. Maybe a variation on your original words is better. | Allow the distinguished name (DN) to be matched for client certificate authentication (Andrew Dunstan) | Previously, matching was done only the common name (DN). | With a username map, the DN can be matched in full or in part. > The test in the patch seems to do that: > > + "# MAPNAME SYSTEM-USERNAME PG-USERNAME\n", > + "dn \"CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG\" ssltestuser\n", > + "dnre \"/^.*OU=Testing,.*\$\" ssltestuser\n", > + "cn ssltestuser-dn ssltestuser\n"; > > I think someone need to explain to me exactly what the DN is and how it > is used. Sorry. -- Justin
pgsql-hackers by date: