Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1ihdjM-0000Ld-Hd
	for pgsql-hackers@arkaria.postgresql.org; Wed, 18 Dec 2019 18:07:28 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.89)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1ihdjL-0001g9-AI
	for pgsql-hackers@arkaria.postgresql.org; Wed, 18 Dec 2019 18:07:27 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1ihdjK-0001fy-Ti; Wed, 18 Dec 2019 18:07:27 +0000
Received: from sss.pgh.pa.us ([66.207.139.130])
	by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1ihdjI-0002Wr-6g; Wed, 18 Dec 2019 18:07:25 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.14.4/8.14.4) with ESMTP id xBII7IPw010980;
	Wed, 18 Dec 2019 13:07:18 -0500
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Magnus Hagander <magnus@hagander.net>
cc: Stephen Frost <sfrost@snowman.net>, Dave Cramer <davecramer@gmail.com>,
        Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
        PostgreSQL-development <pgsql-hackers@postgresql.org>,
        pgsql-docs@lists.postgresql.org
Subject: Re: client auth docs seem to have devolved
In-reply-to: <13336.1576598463@sss.pgh.pa.us>
References: 
 <CADK3HH+xQLhcPgg=kWqfogtXGGZr-JdSo=x=WQC0PkAVyxUWyQ@mail.gmail.com>
 <CABUevEzWhRtMVSOyM=YkpMR9FZV3E3w2OjcFScKAjHbu3=io7g@mail.gmail.com>
 <CADK3HH++WrDDfE2q9+qpuaaq-SJfbvC5csP-qFtf_JuTpffeEw@mail.gmail.com>
 <CABUevEzOcEBRLug3gTpAEhvSRjqyNLsk7QY70JbM-OStj=5cYA@mail.gmail.com>
 <13336.1576598463@sss.pgh.pa.us>
Comments: In-reply-to Tom Lane <tgl@sss.pgh.pa.us>
	message dated "Tue, 17 Dec 2019 11:01:03 -0500"
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0"
Content-ID: <10918.1576692360.0@sss.pgh.pa.us>
Date: Wed, 18 Dec 2019 13:07:18 -0500
Message-ID: <10979.1576692438@sss.pgh.pa.us>
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Precedence: bulk

------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <10918.1576692360.1@sss.pgh.pa.us>

I wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> This was changed by Peter in
>> commit 56811e57323faa453947eb82f007e323a952e1a1 along with the
>> restructuring. It used to say "the following subsections". So techically I
>> think that change is correct, but that doesn't necessarily make it helpful.
>> But based on how it actually renders, since that section doesn't contain
>> any actual useful info, we should perhaps just remove section 20.3
>> completely. Peter, thoughts?

> Then, URLs pointing to that page (such as Dave evidently has bookmarked)
> would break entirely, which doesn't seem like an improvement.

Also, our docs' own internal links to that section would break --- there
are built-in assumptions that there's one pointable-to place that explains
all the auth methods.

> I suggest changing the sect1's contents to be a list of available auth
> methods, linked to their subsections.  That would provide approximately
> the same quality-of-use as the subsection TOC that used to be there.

Concretely, I propose the attached.  Anybody want to editorialize on
my short descriptions of the auth methods?

			regards, tom lane


------- =_aaaaaaaaaa0
Content-Type: text/x-diff; name="provide-summary-of-auth-methods-1.patch";
	charset="us-ascii"
Content-ID: <10918.1576692360.2@sss.pgh.pa.us>
Content-Description: provide-summary-of-auth-methods-1.patch

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 36e5a5d..6af1cf5 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -911,8 +911,103 @@ omicron         bryanh                  guest1
 
  <sect1 id="auth-methods">
   <title>Authentication Methods</title>
+
+  <para>
+   <productname>PostgreSQL</productname> provides various methods for
+   authenticating users:
+
+   <itemizedlist>
+    <listitem>
+     <para>
+      <link linkend="auth-trust">Trust authentication</link>, which
+      simply trusts that users are who they say they are.
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      <link linkend="auth-password">Password authentication</link>, which
+      requires that the user send a password.
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      <link linkend="gssapi-auth">GSSAPI authentication</link>, which
+      relies on a GSSAPI-compatible security library; typically this is
+      used to access an authentication server such as a Kerberos or
+      Microsoft Active Directory server.
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      <link linkend="sspi-auth">SSPI authentication</link>, which
+      uses a Windows-specific protocol similar to GSSAPI.
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      <link linkend="auth-ident">Ident authentication</link>, which
+      relies on an <quote>Identification Protocol</quote> (RFC 1413)
+      service on the client's machine.  (On local Unix-socket connections,
+      this is treated as peer authentication.)
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      <link linkend="auth-peer">Peer authentication</link>, which
+      relies on operating system facilities to identify the process at the
+      other end of a local connection.  This is not supported for remote
+      connections.
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      <link linkend="auth-ldap">LDAP authentication</link>, which
+      relies on an LDAP authentication server.
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      <link linkend="auth-radius">RADIUS authentication</link>, which
+      relies on a RADIUS authentication server.
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      <link linkend="auth-cert">Certificate authentication</link>, which
+      requires an SSL connection and authenticates users by checking the
+      SSL certificate they send.
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      <link linkend="auth-pam">PAM authentication</link>, which
+      relies on a PAM (Pluggable Authentication Modules) library.
+      In most configurations this ends up being a variant of password
+      authentication.
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      <link linkend="auth-bsd">BSD authentication</link>, which
+      relies on the BSD Authentication framework (currently available
+      only on OpenBSD).
+     </para>
+    </listitem>
+   </itemizedlist>
+  </para>
+
+  <para>
+   Peer authentication is usually recommendable for local connections,
+   though trust authentication might be sufficient in some circumstances.
+   Password authentication is the easiest choice for remote connections;
+   all the other options require some sort of external security
+   infrastructure, usually an authentication server or a certificate
+   authority for issuing SSL certificates.
+  </para>
+
   <para>
-   The following sections describe the authentication methods in more detail.
+   The following sections describe each of these authentication methods
+   in more detail.
   </para>
  </sect1>
 

------- =_aaaaaaaaaa0--