1996-10-11 11:12:18 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
*
|
1999-02-14 00:22:53 +01:00
|
|
|
* hba.h
|
1997-09-07 07:04:48 +02:00
|
|
|
* Interface to hba.c
|
1996-10-11 11:12:18 +02:00
|
|
|
*
|
|
|
|
*
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/include/libpq/hba.h
|
1996-10-11 11:12:18 +02:00
|
|
|
*
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
*/
|
|
|
|
#ifndef HBA_H
|
1997-09-07 07:04:48 +02:00
|
|
|
#define HBA_H
|
1996-10-11 11:12:18 +02:00
|
|
|
|
2012-06-10 21:20:04 +02:00
|
|
|
#include "libpq/pqcomm.h" /* pgrminclude ignore */ /* needed for NetBSD */
|
2002-04-04 06:25:54 +02:00
|
|
|
#include "nodes/pg_list.h"
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
#include "regex/regex.h"
|
2002-04-04 06:25:54 +02:00
|
|
|
|
2005-02-26 19:43:34 +01:00
|
|
|
|
2017-01-31 00:00:26 +01:00
|
|
|
/*
|
|
|
|
* The following enum represents the authentication methods that
|
|
|
|
* are supported by PostgreSQL.
|
|
|
|
*
|
|
|
|
* Note: keep this in sync with the UserAuthName array in hba.c.
|
|
|
|
*/
|
1998-02-26 05:46:47 +01:00
|
|
|
typedef enum UserAuth
|
|
|
|
{
|
2001-10-28 07:26:15 +01:00
|
|
|
uaReject,
|
2017-01-31 00:00:26 +01:00
|
|
|
uaImplicitReject, /* Not a user-visible option */
|
2001-10-28 07:26:15 +01:00
|
|
|
uaTrust,
|
|
|
|
uaIdent,
|
|
|
|
uaPassword,
|
2007-07-10 15:14:22 +02:00
|
|
|
uaMD5,
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
uaSCRAM,
|
2007-07-23 12:16:54 +02:00
|
|
|
uaGSS,
|
2008-10-23 15:31:10 +02:00
|
|
|
uaSSPI,
|
|
|
|
uaPAM,
|
2016-04-08 19:51:54 +02:00
|
|
|
uaBSD,
|
2008-11-20 12:48:26 +01:00
|
|
|
uaLDAP,
|
2010-01-27 13:12:00 +01:00
|
|
|
uaCert,
|
2011-03-19 18:44:35 +01:00
|
|
|
uaRADIUS,
|
|
|
|
uaPeer
|
2017-01-31 00:00:26 +01:00
|
|
|
#define USER_AUTH_LAST uaPeer /* Must be last value of this enum */
|
1998-01-26 02:42:53 +01:00
|
|
|
} UserAuth;
|
|
|
|
|
2020-11-03 03:11:50 +01:00
|
|
|
/*
|
|
|
|
* Data structures representing pg_hba.conf entries
|
|
|
|
*/
|
|
|
|
|
2009-10-01 03:58:58 +02:00
|
|
|
typedef enum IPCompareMethod
|
|
|
|
{
|
|
|
|
ipCmpMask,
|
|
|
|
ipCmpSameHost,
|
2010-10-18 21:14:47 +02:00
|
|
|
ipCmpSameNet,
|
|
|
|
ipCmpAll
|
2009-10-01 03:58:58 +02:00
|
|
|
} IPCompareMethod;
|
|
|
|
|
2008-09-15 14:32:57 +02:00
|
|
|
typedef enum ConnType
|
|
|
|
{
|
|
|
|
ctLocal,
|
|
|
|
ctHost,
|
|
|
|
ctHostSSL,
|
GSSAPI encryption support
On both the frontend and backend, prepare for GSSAPI encryption
support by moving common code for error handling into a separate file.
Fix a TODO for handling multiple status messages in the process.
Eliminate the OIDs, which have not been needed for some time.
Add frontend and backend encryption support functions. Keep the
context initiation for authentication-only separate on both the
frontend and backend in order to avoid concerns about changing the
requested flags to include encryption support.
In postmaster, pull GSSAPI authorization checking into a shared
function. Also share the initiator name between the encryption and
non-encryption codepaths.
For HBA, add "hostgssenc" and "hostnogssenc" entries that behave
similarly to their SSL counterparts. "hostgssenc" requires either
"gss", "trust", or "reject" for its authentication.
Similarly, add a "gssencmode" parameter to libpq. Supported values are
"disable", "require", and "prefer". Notably, negotiation will only be
attempted if credentials can be acquired. Move credential acquisition
into its own function to support this behavior.
Add a simple pg_stat_gssapi view similar to pg_stat_ssl, for monitoring
if GSSAPI authentication was used, what principal was used, and if
encryption is being used on the connection.
Finally, add documentation for everything new, and update existing
documentation on connection security.
Thanks to Michael Paquier for the Windows fixes.
Author: Robbie Harwood, with changes to the read/write functions by me.
Reviewed in various forms and at different times by: Michael Paquier,
Andres Freund, David Steele.
Discussion: https://www.postgresql.org/message-id/flat/jlg1tgq1ktm.fsf@thriss.redhat.com
2019-04-03 21:02:33 +02:00
|
|
|
ctHostNoSSL,
|
|
|
|
ctHostGSS,
|
|
|
|
ctHostNoGSS,
|
2008-09-15 14:32:57 +02:00
|
|
|
} ConnType;
|
|
|
|
|
2019-03-09 21:09:10 +01:00
|
|
|
typedef enum ClientCertMode
|
|
|
|
{
|
|
|
|
clientCertOff,
|
|
|
|
clientCertCA,
|
|
|
|
clientCertFull
|
|
|
|
} ClientCertMode;
|
|
|
|
|
2021-03-29 21:31:22 +02:00
|
|
|
typedef enum ClientCertName
|
|
|
|
{
|
|
|
|
clientCertCN,
|
|
|
|
clientCertDN
|
|
|
|
} ClientCertName;
|
|
|
|
|
2011-06-20 23:20:14 +02:00
|
|
|
typedef struct HbaLine
|
2008-09-15 14:32:57 +02:00
|
|
|
{
|
|
|
|
int linenumber;
|
2013-03-10 15:54:37 +01:00
|
|
|
char *rawline;
|
2008-09-15 14:32:57 +02:00
|
|
|
ConnType conntype;
|
2011-06-20 23:20:14 +02:00
|
|
|
List *databases;
|
|
|
|
List *roles;
|
2008-09-15 14:32:57 +02:00
|
|
|
struct sockaddr_storage addr;
|
2020-11-03 03:11:50 +01:00
|
|
|
int addrlen; /* zero if we don't have a valid addr */
|
2008-09-15 14:32:57 +02:00
|
|
|
struct sockaddr_storage mask;
|
2020-11-03 03:11:50 +01:00
|
|
|
int masklen; /* zero if we don't have a valid mask */
|
2009-10-01 03:58:58 +02:00
|
|
|
IPCompareMethod ip_cmp_method;
|
2010-10-15 21:53:39 +02:00
|
|
|
char *hostname;
|
2008-09-15 14:32:57 +02:00
|
|
|
UserAuth auth_method;
|
|
|
|
char *usermap;
|
2008-10-23 15:31:10 +02:00
|
|
|
char *pamservice;
|
2016-04-08 16:45:16 +02:00
|
|
|
bool pam_use_hostname;
|
2008-10-23 15:31:10 +02:00
|
|
|
bool ldaptls;
|
2018-01-03 16:00:08 +01:00
|
|
|
char *ldapscheme;
|
2008-10-23 15:31:10 +02:00
|
|
|
char *ldapserver;
|
|
|
|
int ldapport;
|
2009-12-12 22:35:21 +01:00
|
|
|
char *ldapbinddn;
|
|
|
|
char *ldapbindpasswd;
|
|
|
|
char *ldapsearchattribute;
|
2017-09-12 15:46:14 +02:00
|
|
|
char *ldapsearchfilter;
|
2009-12-12 22:35:21 +01:00
|
|
|
char *ldapbasedn;
|
2012-12-04 05:29:56 +01:00
|
|
|
int ldapscope;
|
2008-10-23 15:31:10 +02:00
|
|
|
char *ldapprefix;
|
|
|
|
char *ldapsuffix;
|
2019-03-09 21:09:10 +01:00
|
|
|
ClientCertMode clientcert;
|
2021-03-29 21:31:22 +02:00
|
|
|
ClientCertName clientcertname;
|
2009-01-07 13:38:11 +01:00
|
|
|
char *krb_realm;
|
2009-01-07 14:09:21 +01:00
|
|
|
bool include_realm;
|
2016-04-08 20:23:52 +02:00
|
|
|
bool compat_realm;
|
|
|
|
bool upn_username;
|
2017-03-22 17:55:16 +01:00
|
|
|
List *radiusservers;
|
2017-05-17 22:31:56 +02:00
|
|
|
char *radiusservers_s;
|
2017-03-22 17:55:16 +01:00
|
|
|
List *radiussecrets;
|
2017-05-17 22:31:56 +02:00
|
|
|
char *radiussecrets_s;
|
2017-03-22 17:55:16 +01:00
|
|
|
List *radiusidentifiers;
|
2017-05-17 22:31:56 +02:00
|
|
|
char *radiusidentifiers_s;
|
2017-03-22 17:55:16 +01:00
|
|
|
List *radiusports;
|
2017-05-17 22:31:56 +02:00
|
|
|
char *radiusports_s;
|
2008-09-15 14:32:57 +02:00
|
|
|
} HbaLine;
|
|
|
|
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
typedef struct IdentLine
|
|
|
|
{
|
2013-05-29 22:58:43 +02:00
|
|
|
int linenumber;
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
|
|
|
|
char *usermap;
|
|
|
|
char *ident_user;
|
|
|
|
char *pg_role;
|
2013-05-29 22:58:43 +02:00
|
|
|
regex_t re;
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
} IdentLine;
|
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
/* kluge to avoid including libpq/libpq-be.h here */
|
1999-09-27 05:13:16 +02:00
|
|
|
typedef struct Port hbaPort;
|
|
|
|
|
2008-09-15 14:32:57 +02:00
|
|
|
extern bool load_hba(void);
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
extern bool load_ident(void);
|
Add some information about authenticated identity via log_connections
The "authenticated identity" is the string used by an authentication
method to identify a particular user. In many common cases, this is the
same as the PostgreSQL username, but for some third-party authentication
methods, the identifier in use may be shortened or otherwise translated
(e.g. through pg_ident user mappings) before the server stores it.
To help administrators see who has actually interacted with the system,
this commit adds the capability to store the original identity when
authentication succeeds within the backend's Port, and generates a log
entry when log_connections is enabled. The log entries generated look
something like this (where a local user named "foouser" is connecting to
the database as the database user called "admin"):
LOG: connection received: host=[local]
LOG: connection authenticated: identity="foouser" method=peer (/data/pg_hba.conf:88)
LOG: connection authorized: user=admin database=postgres application_name=psql
Port->authn_id is set according to the authentication method:
bsd: the PostgreSQL username (aka the local username)
cert: the client's Subject DN
gss: the user principal
ident: the remote username
ldap: the final bind DN
pam: the PostgreSQL username (aka PAM username)
password (and all pw-challenge methods): the PostgreSQL username
peer: the peer's pw_name
radius: the PostgreSQL username (aka the RADIUS username)
sspi: either the down-level (SAM-compatible) logon name, if
compat_realm=1, or the User Principal Name if compat_realm=0
The trust auth method does not set an authenticated identity. Neither
does clientcert=verify-full.
Port->authn_id could be used for other purposes, like a superuser-only
extra column in pg_stat_activity, but this is left as future work.
PostgresNode::connect_{ok,fails}() have been modified to let tests check
the backend log files for required or prohibited patterns, using the
new log_like and log_unlike parameters. This uses a method based on a
truncation of the existing server log file, like issues_sql_like().
Tests are added to the ldap, kerberos, authentication and SSL test
suites.
Author: Jacob Champion
Reviewed-by: Stephen Frost, Magnus Hagander, Tom Lane, Michael Paquier
Discussion: https://postgr.es/m/c55788dd1773c521c862e8e0dddb367df51222be.camel@vmware.com
2021-04-07 03:16:39 +02:00
|
|
|
extern const char *hba_authname(hbaPort *port);
|
2011-06-20 23:20:14 +02:00
|
|
|
extern void hba_getauthmethod(hbaPort *port);
|
2019-05-22 19:04:48 +02:00
|
|
|
extern int check_usermap(const char *usermap_name,
|
|
|
|
const char *pg_role, const char *auth_user,
|
|
|
|
bool case_sensitive);
|
2008-08-01 11:09:49 +02:00
|
|
|
extern bool pg_isblank(const char c);
|
2001-10-28 07:26:15 +01:00
|
|
|
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* HBA_H */
|