Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nPA92-0005MF-3S for pgsql-hackers@arkaria.postgresql.org; Tue, 01 Mar 2022 21:34:56 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nPA90-00018P-Nu for pgsql-hackers@arkaria.postgresql.org; Tue, 01 Mar 2022 21:34:54 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nPA8y-00017x-Th for pgsql-hackers@lists.postgresql.org; Tue, 01 Mar 2022 21:34:54 +0000 Received: from out3-smtp.messagingengine.com ([66.111.4.27]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nPA8v-0003G1-3U for pgsql-hackers@lists.postgresql.org; Tue, 01 Mar 2022 21:34:52 +0000 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id F0D735C0126; Tue, 1 Mar 2022 16:34:46 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Tue, 01 Mar 2022 16:34:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=anarazel.de; h= cc:cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; bh=RinHAif5AZwkoEvU2HKMQ1G9IF6Kpz+gtwbGIz FV3as=; b=YakGj4+tidDcoBhBmifY/UYMwOOYL7USYbXmb1eYBXQ4nL9m1ifOl2 QKpGgQUYNro7maF9GNcuDBz7ibvlnIY123KRFEAPMG95k6EAbj9k8jsa8oZsPa0B JMT1IRiH7TxnEQM/nOnmvdu5WzXd9DWU2ChEDO2vbz90Bx9/UqEESt/n8/EgOhl6 CAdND6gqexqKGwDn6Ppd7t1tHHpn/4GLcdm1HTURqgPnLug7hSJfGQ5otO/6KuRp wsru8Ie8F3pXUUeT9i+wwovqvO1pxIeYT2jzAOckG4/RhRnwKY62HrA5vOUU4JNQ jyG0LAwrNNsZozWFkHbOZIsw1u9L24Fw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=RinHAif5AZwkoEvU2 HKMQ1G9IF6Kpz+gtwbGIzFV3as=; b=aU0Qqa3UIJw/mjj+aa0FceC2VicPEoAc0 5YGX1/V1KByGZfUB1a4f+aNcj+GMgxI+87qW8p1JdCOu2xUwzUSnPg4la69m+IMr 8o+2IGR796Gt8hY4arlFgN8EtCPYQOHSJapyECgWOaCiPeGVTemSp6LoXgKLz3wk PsU/t2uNWupN6+QDURWnHVbrijoUpdsr6Pmj+zcoTvJO5Qv8vgR/qrqXsPEwDVVK cFs+sLfJTwzqdx7CFfqOnTTo8IbywiNxu7A6pDYrHEqYEHVYehjfjZ344VuA+rNa hTtGp3XQb4ULZxMjqtVmQXerSD/P56VwQ5OGd5/XH+uFWk5YK30fQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddruddtvddgudegjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesthdtredttddtvdenucfhrhhomheptehnughr vghsucfhrhgvuhhnugcuoegrnhgurhgvshesrghnrghrrgiivghlrdguvgeqnecuggftrf grthhtvghrnhepudekhfekleeugeevteehleffffejgeelueduleeffeeutdelffeujeff hfeuffdunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh eprghnughrvghssegrnhgrrhgriigvlhdruggv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 1 Mar 2022 16:34:46 -0500 (EST) Date: Tue, 1 Mar 2022 13:34:45 -0800 From: Andres Freund To: Peter Eisentraut Cc: samay sharma , pgsql-hackers@lists.postgresql.org Subject: Re: Proposal: Support custom authentication methods using hooks Message-ID: <20220301213445.xrnwf3prxjaekimb@alap3.anarazel.de> References: <9f017d59-c3f8-5d7a-beba-ef7304bd8cf9@enterprisedb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9f017d59-c3f8-5d7a-beba-ef7304bd8cf9@enterprisedb.com> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi, On 2022-02-28 11:26:06 +0100, Peter Eisentraut wrote: > We already have a variety of authentication mechanisms that support central > management: LDAP, PAM, Kerberos, Radius. LDAP, PAM and Radius all require cleartext passwords, so aren't a great solution based on the concerns voiced in this thread. IME Kerberos is operationally too complicated to really be used, unless it's already part of the operating environment. > What other mechanisms are people thinking about implementing using these > hooks? The cases I've heard about are about centralizing auth across multiple cloud services. Including secret management in some form. E.g. allowing an application to auth to postgres, redis and having the secret provided by infrastructure, rather than having to hardcode it in config or such. I can't see application developers configuring kerberos and I don't think LDAP, PAM, Radius are a great answer either, due to the plaintext requirement alone? LDAP is pretty clearly dying technology, PAM is fragile complicated C stuff that's not portable across OSs. Radius is probably the most realistic, but at least as implemented doesn't seem flexible enough (e.g. no access to group memberships etc). Nor does baking stuff like that in seem realistic to me, it'll presumably be too cloud provider specific. Greetings, Andres Freund