MIME-Version: 1.0
References: <SY7PR01MB90072A084A61E7BE708EA3BEC70D2@SY7PR01MB9007.ausprd01.prod.outlook.com>
 <475d191dec8afe65530e81d1748582ee@postgresql.org> <SY7PR01MB9007B2AA3CC9763E13C9B630C7DB2@SY7PR01MB9007.ausprd01.prod.outlook.com>
 <20240710141012.lgflly6uaa3oxcng@hjp.at>
In-Reply-To: <20240710141012.lgflly6uaa3oxcng@hjp.at>
From: Ian Harding <harding.ian@gmail.com>
Date: Wed, 10 Jul 2024 07:27:29 -0700
Message-ID: <CAMR4UwHOHPC2Vvi0qmR3O+Xvs_FgUXO8-obQnZ0-FdBO_EPz8g@mail.gmail.com>
Subject: Re: [EXTERNAL] Re: SSPI Feature Request
To: pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000e84243061ce572c2"
Archived-At: <https://www.postgresql.org/message-id/CAMR4UwHOHPC2Vvi0qmR3O%2BXvs_FgUXO8-obQnZ0-FdBO_EPz8g%40mail.gmail.com>
Precedence: bulk

--000000000000e84243061ce572c2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Jul 10, 2024 at 7:10=E2=80=AFAM Peter J. Holzer <hjp-pgsql@hjp.at> =
wrote:

> On 2024-07-09 03:35:33 +0000, Buoro, John wrote:
> > I've dusted off my C books and coded a solution.
> [...]
> > When using SSPI you can grant access to a user by giving the login name
> as
> > firstname.lastname@SOMEDOMAIN for example.
> > PostgresSQL has no concept of groups, just roles.
> > The code provided allows you to specify a group name as a login. Exampl=
e
> > UserGroupName@SOMEDOMAIN
> > It will search Active Directory \ LDAP for the current user's
> distinguished
> > name and the domain component (DC) their account is defined in.
> > Then it will obtain all the access groups which this account belongs to
> > (excluding mail groups).
> > It will compare the group name with what is defined in ProgreSQL.
> > If there is a match, then that group name will be the identity of the
> user, so
> > that for example...
> >
> > SELECT USER;
> >
> > ...will show UserGroupName@SOMEDOMAIN as the user, and NOT
> > firstname.lastname@SOMEDOMAIN.
> > This is because PostgreSQL appears not to have group support nor the
> ability to
> > separate user identification and user authentication from what I can se=
e
> in the
> > source code.
> >
> > If the user's account (example firstname.lastname@SOMEDOMAIN) is
> specifically
> > listed in the logins as well as the group (example
> UserGroupName@SOMEDOMAIN)
> > then it will use the user firstname.lastname@SOMEDOMAIN rather than the
> group.
> > If there are multiple groups defined in PostgreSQL that the user is a
> member of
> > then the code will use the first matching group as obtained from Active
> > Directory \ LDAP.
> > It will not work out which group has the most \ highest privileges.
>
> I am confused. This doesn't seem to be what you were asking for and I'm
> also unsure what scenario this is trying to address.
>
> I thought you wanted something like this:
>
> A user can authenticate with their AD name (DN, URN, or whatever), e.g.
> a.user@some.domain. A correspnding role in PostgreSQL is automatically
> created if it doesn't already exist.
>
> The user's groups are also read from AD: group1@some.domain,
> group2@some.domain, ... For each of these groups a GRANT is performed:
>     GRANT "group1@some.domain" TO "a.user@some.domain";
>     GRANT "group2@some.domain" TO "a.user@some.domain";
>     ...
> The roles for these groups might also be automatically created but since
> a role without privileges isn't very useful I'm not sure if that makes
> sense.
>
> (There would also have to be a way to revoke privileges if the AD user
> loses membership in an AD group. Or maybe those GRANTs could be scoped
> to a session?)
>
> This would allow the complete user/group administration to be outsourced
> to AD. Only GRANTs to database objects like tables, views or functions
> would need to be done at each database.
>
>         hp
>
> --
>    _  | Peter J. Holzer    | Story must make more sense than reality.
> |_|_) |                    |
> | |   | hjp@hjp.at         |    -- Charles Stross, "Creative writing
> __/   | http://www.hjp.at/ |       challenge!"


The solution proposed is about as close as I think you can get to the
Windows reality and would be useful. A windows group is the only thing
PostgreSQL would know or care about. Individuals authenticate as thier
individual selves but are granted access as a member of the global group.

MS SQL Server works like that except that, although there is no =E2=80=9Clo=
gin=E2=80=9D
with your individual name, you are operating within the database as your
individual account. They can do that because they don=E2=80=99t require exi=
stence
of a named login for the individual. I doubt that=E2=80=99s possible for
PostgreSQL.

As a MS SQL Server admin I can tell you that it is a complete mystery how a
user gained access to the database in this world. You might be a member of
many groups, all of which might have a server login (granted server roles)
and be mapped into databases with potentially differently named database
users, while SELECT @@USER will show your actual individual domain user
name.

I think this feature would be useful but I think the PostgreSQL role ->
Active Directory Group mapping is where it should end. That effectively
makes it a shared role, as who the connection was established as would be
lost.

>
>

--000000000000e84243061ce572c2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div><br></div><div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=
=3D"gmail_attr">On Wed, Jul 10, 2024 at 7:10=E2=80=AFAM Peter J. Holzer &lt=
;<a href=3D"mailto:hjp-pgsql@hjp.at">hjp-pgsql@hjp.at</a>&gt; wrote:<br></d=
iv><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left=
:1px #ccc solid;padding-left:1ex">On 2024-07-09 03:35:33 +0000, Buoro, John=
 wrote:<br>
&gt; I&#39;ve dusted off my C books and coded a solution.<br>
[...]<br>
&gt; When using SSPI you can grant access to a user by giving the login nam=
e as<br>
&gt; firstname.lastname@SOMEDOMAIN for example.<br>
&gt; PostgresSQL has no concept of groups, just roles.<br>
&gt; The code provided allows you to specify a group name as a login. Examp=
le<br>
&gt; UserGroupName@SOMEDOMAIN<br>
&gt; It will search Active Directory \ LDAP for the current user&#39;s dist=
inguished<br>
&gt; name and the domain component (DC) their account is defined in.<br>
&gt; Then it will obtain all the access groups which this account belongs t=
o<br>
&gt; (excluding mail groups).<br>
&gt; It will compare the group name with what is defined in ProgreSQL.<br>
&gt; If there is a match, then that group name will be the identity of the =
user, so<br>
&gt; that for example...<br>
&gt; <br>
&gt; SELECT USER;<br>
&gt; <br>
&gt; ...will show UserGroupName@SOMEDOMAIN as the user, and NOT<br>
&gt; firstname.lastname@SOMEDOMAIN.<br>
&gt; This is because PostgreSQL appears not to have group support nor the a=
bility to<br>
&gt; separate user identification and user authentication from what I can s=
ee in the<br>
&gt; source code.<br>
&gt; <br>
&gt; If the user&#39;s account (example firstname.lastname@SOMEDOMAIN) is s=
pecifically<br>
&gt; listed in the logins as well as the group (example UserGroupName@SOMED=
OMAIN)<br>
&gt; then it will use the user firstname.lastname@SOMEDOMAIN rather than th=
e group.<br>
&gt; If there are multiple groups defined in PostgreSQL that the user is a =
member of<br>
&gt; then the code will use the first matching group as obtained from Activ=
e<br>
&gt; Directory \ LDAP.<br>
&gt; It will not work out which group has the most \ highest privileges.<br=
>
<br>
I am confused. This doesn&#39;t seem to be what you were asking for and I&#=
39;m<br>
also unsure what scenario this is trying to address.<br>
<br>
I thought you wanted something like this:<br>
<br>
A user can authenticate with their AD name (DN, URN, or whatever), e.g.<br>
a.user@some.domain. A correspnding role in PostgreSQL is automatically<br>
created if it doesn&#39;t already exist.<br>
<br>
The user&#39;s groups are also read from AD: group1@some.domain,<br>
group2@some.domain, ... For each of these groups a GRANT is performed:<br>
=C2=A0 =C2=A0 GRANT &quot;group1@some.domain&quot; TO &quot;a.user@some.dom=
ain&quot;;<br>
=C2=A0 =C2=A0 GRANT &quot;group2@some.domain&quot; TO &quot;a.user@some.dom=
ain&quot;;<br>
=C2=A0 =C2=A0 ...<br>
The roles for these groups might also be automatically created but since<br=
>
a role without privileges isn&#39;t very useful I&#39;m not sure if that ma=
kes<br>
sense.<br>
<br>
(There would also have to be a way to revoke privileges if the AD user<br>
loses membership in an AD group. Or maybe those GRANTs could be scoped<br>
to a session?)<br>
<br>
This would allow the complete user/group administration to be outsourced<br=
>
to AD. Only GRANTs to database objects like tables, views or functions<br>
would need to be done at each database.<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 hp<br>
<br>
-- <br>
=C2=A0 =C2=A0_=C2=A0 | Peter J. Holzer=C2=A0 =C2=A0 | Story must make more =
sense than reality.<br>
|_|_) |=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 |<br>
| |=C2=A0 =C2=A0| <a href=3D"mailto:hjp@hjp.at" target=3D"_blank">hjp@hjp.a=
t</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|=C2=A0 =C2=A0 -- Charles Stross, &q=
uot;Creative writing<br>
__/=C2=A0 =C2=A0| <a href=3D"http://www.hjp.at/" rel=3D"noreferrer" target=
=3D"_blank">http://www.hjp.at/</a> |=C2=A0 =C2=A0 =C2=A0 =C2=A0challenge!&q=
uot;</blockquote><div dir=3D"auto"><br></div><div dir=3D"auto">The solution=
 proposed is about as close as I think you can get to the Windows reality a=
nd would be useful. A windows group is the only thing PostgreSQL would know=
 or care about. Individuals authenticate as thier individual selves but are=
 granted access as a member of the global group.=C2=A0</div><div dir=3D"aut=
o"><br></div><div dir=3D"auto">MS SQL Server works like that except that, a=
lthough there is no =E2=80=9Clogin=E2=80=9D with your individual name, you =
are operating within the database as your individual account. They can do t=
hat because they don=E2=80=99t require existence of a named login for the i=
ndividual. I doubt that=E2=80=99s possible for PostgreSQL.=C2=A0</div><div =
dir=3D"auto"><br></div><div dir=3D"auto">As a MS SQL Server admin I can tel=
l you that it is a complete mystery how a user gained access to the databas=
e in this world. You might be a member of many groups, all of which might h=
ave a server login (granted server roles) and be mapped into databases with=
 potentially differently named database users, while SELECT @@USER will sho=
w your actual individual domain user name.=C2=A0</div><div dir=3D"auto"><br=
></div><div dir=3D"auto">I think this feature would be useful but I think t=
he PostgreSQL role -&gt; Active Directory Group mapping is where it should =
end. That effectively makes it a shared role, as who the connection was est=
ablished as would be lost.=C2=A0</div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" dir=3D=
"auto"><br>
</blockquote></div></div>

--000000000000e84243061ce572c2--