Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nOdEL-0003ki-Ki for pgsql-hackers@arkaria.postgresql.org; Mon, 28 Feb 2022 10:26:13 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nOdEK-000793-HN for pgsql-hackers@arkaria.postgresql.org; Mon, 28 Feb 2022 10:26:12 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nOdEK-00078u-7j for pgsql-hackers@lists.postgresql.org; Mon, 28 Feb 2022 10:26:12 +0000 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nOdEH-0001T6-FN for pgsql-hackers@lists.postgresql.org; Mon, 28 Feb 2022 10:26:11 +0000 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 59CEC3201134; Mon, 28 Feb 2022 05:26:08 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Mon, 28 Feb 2022 05:26:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=iCesr7e+4kCZs/YPnDenYbZDy4HS0ECDgu+cMD8Ggdc=; b=n1Nlmf4g XYJXr6v+5fx4gdHT+hazdjT1HweiY8F5ItPlJwZG2OJFQU6WTp9B4pig6Y0eoHDi 0nGruvLZjwwu23WTyMPzut4QkvDzSpnjDpqQLOAXadcl7wcVXXDZUMtxrOAuuecm yPc36roESt1/XibHrW5UD2+eZEvDKf8d1Go73b8+FzjgUOYfpqBXOx80Acnjd179 tPK3J1Nx+bZio1e8qBLJmozjQdRBtlKUmtGI8TGrAf5fl6/oX6gp1nX5ZxzHCybh ikVvqDA/laahJQPHYQHmR65XRup6lhTIO7hJypk/pQswBs3XDOoDdz/EgNyQHi1l r78Kw5f5fsO5TA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddruddttddgudegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtke ertddtfeejnecuhfhrohhmpefrvghtvghrucfgihhsvghnthhrrghuthcuoehpvghtvghr rdgvihhsvghnthhrrghuthesvghnthgvrhhprhhishgvuggsrdgtohhmqeenucggtffrrg htthgvrhhnpeelgfetfeeitdelleeggeejvefhueetfedvtdejheevueeifeegvdfhueel udetueenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hpvghtvghrrdgvihhsvghnthhrrghuthesvghnthgvrhhprhhishgvuggsrdgtohhm X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 28 Feb 2022 05:26:07 -0500 (EST) Message-ID: <9f017d59-c3f8-5d7a-beba-ef7304bd8cf9@enterprisedb.com> Date: Mon, 28 Feb 2022 11:26:06 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.6.0 Subject: Re: Proposal: Support custom authentication methods using hooks Content-Language: en-US To: samay sharma , pgsql-hackers@lists.postgresql.org References: From: Peter Eisentraut In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 17.02.22 20:25, samay sharma wrote: > A use case where this is useful are environments where you want > authentication to be centrally managed across different services. This > is a common deployment model for cloud providers where customers like to > use single sign on and authenticate across different services including > Postgres. Implementing this now is tricky as it requires syncing that > authentication method's credentials with Postgres (and that gets > trickier with TTL/expiry etc.). With these hooks, you can implement an > extension to check credentials directly using the > authentication provider's APIs. We already have a variety of authentication mechanisms that support central management: LDAP, PAM, Kerberos, Radius. What other mechanisms are people thinking about implementing using these hooks? Maybe there are a bunch of them, in which case a hook system might be sensible, but if there are only one or two plausible ones, we could also just make them built in.