rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make krb_realm and krb_server_hostname be pg_hba options only, and remove 

their GUCs.

In passing, noted that the pg_hba options for krb5 authentication weren't
listed at all - so add this.
This commit is contained in:
Magnus Hagander 2009-01-09 10:13:19 +00:00
parent 32e1265dd9
commit 1b4e729eaa
5 changed files with 72 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
doc/src/sgml/client-auth.sgml
View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.117 2009/01/07 13:09:21 mha Exp $ --> <!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.118 2009/01/09 10:13:18 mha Exp $ -->
<chapter id="client-authentication"> <chapter id="client-authentication">
<title>Client Authentication</title> <title>Client Authentication</title>
@ -801,18 +801,8 @@ omicron bryanh guest1
<term>krb_realm</term> <term>krb_realm</term>
<listitem> <listitem>
<para> <para>
Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm Sets the realm to match user principal names against. If this parameter
to verify the authenticated user principal against. is not set, the realm of the user will be ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb_server_hostname</term>
<listitem>
<para>
Overrides the <xref linkend="guc-krb-server-hostname"> parameter, setting which
hostname will be used for the server principal when using Kerberos.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -874,8 +864,8 @@ omicron bryanh guest1
<term>krb_realm</term> <term>krb_realm</term>
<listitem> <listitem>
<para> <para>
Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm Sets the realm to match user principal names against. If this parameter
to verify the authenticated user principal against. is not set, the realm of the user will be ignored.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -953,7 +943,7 @@ omicron bryanh guest1
<literal>pgusername@realm</>. By default, the realm of the client is <literal>pgusername@realm</>. By default, the realm of the client is
not checked by <productname>PostgreSQL</>. If you have cross-realm not checked by <productname>PostgreSQL</>. If you have cross-realm
authentication enabled and need to verify the realm, use the authentication enabled and need to verify the realm, use the
<xref linkend="guc-krb-realm"> parameter. krb_realm parameter in <filename>pg_hba.conf</>.
</para> </para>
<para> <para>
@ -996,6 +986,55 @@ omicron bryanh guest1
database access over the web, no extra passwords required. database access over the web, no extra passwords required.
</para> </para>
<para>
The following configuration options are supported for <productname>Kerberos</productname>:
<variablelist>
<varlistentry>
<term>map</term>
<listitem>
<para>
Allows for mapping between system and database usernames. See
<xref linkend="auth-username-maps"> for details.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>include_realm</term>
<listitem>
<para>
Include the realm name from the authenticated user principal. This is useful
in combination with Username maps (See <xref linkend="auth-username-maps">
for details), especially with regular expressions, to map users from
multiple realms.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb_realm</term>
<listitem>
<para>
Sets the realm to match user principal names against. If this parameter
is not set, the realm of the user will be ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb_server_hostname</term>
<listitem>
<para>
Sets the host name part of the service principal.
This, combined with <varname>krb_srvname</>, is used to generate
the complete service principal, that is
<varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
If not set, the default is the server host name.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</sect2> </sect2>
<sect2 id="auth-ident"> <sect2 id="auth-ident">

36
doc/src/sgml/config.sgml
View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.203 2009/01/07 22:40:48 tgl Exp $ --> <!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.204 2009/01/09 10:13:18 mha Exp $ -->
<chapter Id="runtime-config"> <chapter Id="runtime-config">
<title>Server Configuration</title> <title>Server Configuration</title>
@ -612,22 +612,6 @@ SET ENABLE_SEQSCAN TO OFF;
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry id="guc-krb-realm" xreflabel="krb_realm">
<term><varname>krb_realm</varname> (<type>string</type>)</term>
<indexterm>
<primary><varname>krb_realm</> configuration parameter</primary>
</indexterm>
<listitem>
<para>
Sets the realm to match Kerberos, GSSAPI and SSPI user names against.
See <xref linkend="kerberos-auth">, <xref linkend="gssapi-auth"> or
<xref linkend="sspi-auth"> for details. This parameter can only be
set in the <filename>postgresql.conf</> file or on the server
command line.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile"> <varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
<term><varname>krb_server_keyfile</varname> (<type>string</type>)</term> <term><varname>krb_server_keyfile</varname> (<type>string</type>)</term>
<indexterm> <indexterm>
@ -657,24 +641,6 @@ SET ENABLE_SEQSCAN TO OFF;
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry id="guc-krb-server-hostname" xreflabel="krb_server_hostname">
<term><varname>krb_server_hostname</varname> (<type>string</type>)</term>
<indexterm>
<primary><varname>krb_server_hostname</> configuration parameter</primary>
</indexterm>
<listitem>
<para>
Sets the host name part of the service principal.
This, combined with <varname>krb_srvname</>, is used to generate
the complete service principal, that is
<varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
If not set, the default is the server host name. See <xref linkend="kerberos-auth">
for details. This parameter can only be set in the <filename>postgresql.conf</>
file or on the server command line.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users"> <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
<term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term> <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
<indexterm> <indexterm>

53
src/backend/libpq/auth.c
View File

@ -8,7 +8,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.177 2009/01/07 13:09:21 mha Exp $ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.178 2009/01/09 10:13:18 mha Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -129,8 +129,6 @@ static int CheckCertAuth(Port *port);
char *pg_krb_server_keyfile; char *pg_krb_server_keyfile;
char *pg_krb_srvnam; char *pg_krb_srvnam;
bool pg_krb_caseins_users; bool pg_krb_caseins_users;
char *pg_krb_server_hostname = NULL;
char *pg_krb_realm = NULL;
/*---------------------------------------------------------------- /*----------------------------------------------------------------
@ -645,10 +643,7 @@ pg_krb5_init(Port *port)
* If no hostname was specified, pg_krb_server_hostname is already NULL. * If no hostname was specified, pg_krb_server_hostname is already NULL.
* If it's set to blank, force it to NULL. * If it's set to blank, force it to NULL.
*/ */
if (port->hba->krb_server_hostname) khostname = port->hba->krb_server_hostname;
khostname = port->hba->krb_server_hostname;
else
khostname = pg_krb_server_hostname;
if (khostname && khostname[0] == '\0') if (khostname && khostname[0] == '\0')
khostname = NULL; khostname = NULL;
@ -694,7 +689,6 @@ pg_krb5_recvauth(Port *port)
krb5_ticket *ticket; krb5_ticket *ticket;
char *kusername; char *kusername;
char *cp; char *cp;
char *realmmatch;
if (get_role_line(port->user_name) == NULL) if (get_role_line(port->user_name) == NULL)
return STATUS_ERROR; return STATUS_ERROR;
@ -740,11 +734,6 @@ pg_krb5_recvauth(Port *port)
return STATUS_ERROR; return STATUS_ERROR;
} }
if (port->hba->krb_realm)
realmmatch = port->hba->krb_realm;
else
realmmatch = pg_krb_realm;
cp = strchr(kusername, '@'); cp = strchr(kusername, '@');
if (cp) if (cp)
{ {
@ -757,19 +746,19 @@ pg_krb5_recvauth(Port *port)
*cp = '\0'; *cp = '\0';
cp++; cp++;
if (realmmatch != NULL && strlen(realmmatch)) if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
{ {
/* Match realm against configured */ /* Match realm against configured */
if (pg_krb_caseins_users) if (pg_krb_caseins_users)
ret = pg_strcasecmp(realmmatch, cp); ret = pg_strcasecmp(port->hba->krb_realm, cp);
else else
ret = strcmp(realmmatch, cp); ret = strcmp(port->hba->krb_realm, cp);
if (ret) if (ret)
{ {
elog(DEBUG2, elog(DEBUG2,
"krb5 realm (%s) and configured realm (%s) don't match", "krb5 realm (%s) and configured realm (%s) don't match",
cp, realmmatch); cp, port->hba->krb_realm);
krb5_free_ticket(pg_krb5_context, ticket); krb5_free_ticket(pg_krb5_context, ticket);
krb5_auth_con_free(pg_krb5_context, auth_context); krb5_auth_con_free(pg_krb5_context, auth_context);
@ -777,7 +766,7 @@ pg_krb5_recvauth(Port *port)
} }
} }
} }
else if (realmmatch && strlen(realmmatch)) else if (port->hba->krb_realm&& strlen(port->hba->krb_realm))
{ {
elog(DEBUG2, elog(DEBUG2,
"krb5 did not return realm but realm matching was requested"); "krb5 did not return realm but realm matching was requested");
@ -874,7 +863,6 @@ pg_GSS_recvauth(Port *port)
int ret; int ret;
StringInfoData buf; StringInfoData buf;
gss_buffer_desc gbuf; gss_buffer_desc gbuf;
char *realmmatch;
/* /*
* GSS auth is not supported for protocol versions before 3, because it * GSS auth is not supported for protocol versions before 3, because it
@ -1034,11 +1022,6 @@ pg_GSS_recvauth(Port *port)
gettext_noop("retrieving GSS user name failed"), gettext_noop("retrieving GSS user name failed"),
maj_stat, min_stat); maj_stat, min_stat);
if (port->hba->krb_realm)
realmmatch = port->hba->krb_realm;
else
realmmatch = pg_krb_realm;
/* /*
* Split the username at the realm separator * Split the username at the realm separator
*/ */
@ -1055,28 +1038,28 @@ pg_GSS_recvauth(Port *port)
*cp = '\0'; *cp = '\0';
cp++; cp++;
if (realmmatch != NULL && strlen(realmmatch)) if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
{ {
/* /*
* Match the realm part of the name first * Match the realm part of the name first
*/ */
if (pg_krb_caseins_users) if (pg_krb_caseins_users)
ret = pg_strcasecmp(realmmatch, cp); ret = pg_strcasecmp(port->hba->krb_realm, cp);
else else
ret = strcmp(realmmatch, cp); ret = strcmp(port->hba->krb_realm, cp);
if (ret) if (ret)
{ {
/* GSS realm does not match */ /* GSS realm does not match */
elog(DEBUG2, elog(DEBUG2,
"GSSAPI realm (%s) and configured realm (%s) don't match", "GSSAPI realm (%s) and configured realm (%s) don't match",
cp, realmmatch); cp, port->hba->krb_realm);
gss_release_buffer(&lmin_s, &gbuf); gss_release_buffer(&lmin_s, &gbuf);
return STATUS_ERROR; return STATUS_ERROR;
} }
} }
} }
else if (realmmatch && strlen(realmmatch)) else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
{ {
elog(DEBUG2, elog(DEBUG2,
"GSSAPI did not return realm but realm matching was requested"); "GSSAPI did not return realm but realm matching was requested");
@ -1140,7 +1123,6 @@ pg_SSPI_recvauth(Port *port)
SID_NAME_USE accountnameuse; SID_NAME_USE accountnameuse;
HMODULE secur32; HMODULE secur32;
QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken; QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
char *realmmatch;
/* /*
* SSPI auth is not supported for protocol versions before 3, because it * SSPI auth is not supported for protocol versions before 3, because it
@ -1353,18 +1335,13 @@ pg_SSPI_recvauth(Port *port)
* Compare realm/domain if requested. In SSPI, always compare case * Compare realm/domain if requested. In SSPI, always compare case
* insensitive. * insensitive.
*/ */
if (port->hba->krb_realm) if (port->hba->krb_realm && strlen(port->hba->krb_realm))
realmmatch = port->hba->krb_realm;
else
realmmatch = pg_krb_realm;
if (realmmatch && strlen(realmmatch))
{ {
if (pg_strcasecmp(realmmatch, domainname)) if (pg_strcasecmp(port->hba->krb_realm, domainname))
{ {
elog(DEBUG2, elog(DEBUG2,
"SSPI domain (%s) and configured domain (%s) don't match", "SSPI domain (%s) and configured domain (%s) don't match",
domainname, realmmatch); domainname, port->hba->krb_realm);
return STATUS_ERROR; return STATUS_ERROR;
} }

21
src/backend/utils/misc/guc.c
View File

@ -10,7 +10,7 @@
* Written by Peter Eisentraut <peter_e@gmx.net>. * Written by Peter Eisentraut <peter_e@gmx.net>.
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.491 2009/01/07 22:40:49 tgl Exp $ * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.492 2009/01/09 10:13:18 mha Exp $
* *
*-------------------------------------------------------------------- *--------------------------------------------------------------------
*/ */
@ -2130,16 +2130,6 @@ static struct config_string ConfigureNamesString[] =
"$libdir", NULL, NULL "$libdir", NULL, NULL
}, },
{
{"krb_realm", PGC_SIGHUP, CONN_AUTH_SECURITY,
gettext_noop("Sets realm to match Kerberos and GSSAPI users against."),
NULL,
GUC_SUPERUSER_ONLY
},
&pg_krb_realm,
NULL, NULL, NULL
},
{ {
{"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY, {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY,
gettext_noop("Sets the location of the Kerberos server key file."), gettext_noop("Sets the location of the Kerberos server key file."),
@ -2159,15 +2149,6 @@ static struct config_string ConfigureNamesString[] =
PG_KRB_SRVNAM, NULL, NULL PG_KRB_SRVNAM, NULL, NULL
}, },
{
{"krb_server_hostname", PGC_SIGHUP, CONN_AUTH_SECURITY,
gettext_noop("Sets the hostname of the Kerberos server."),
NULL
},
&pg_krb_server_hostname,
NULL, NULL, NULL
},
{ {
{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS, {"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Sets the Bonjour broadcast service name."), gettext_noop("Sets the Bonjour broadcast service name."),

3
src/backend/utils/misc/postgresql.conf.sample
View File

@ -81,10 +81,7 @@
# Kerberos and GSSAPI # Kerberos and GSSAPI
#krb_server_keyfile = '' #krb_server_keyfile = ''
#krb_srvname = 'postgres' # (Kerberos only) #krb_srvname = 'postgres' # (Kerberos only)
#krb_server_hostname = '' # empty string matches any keytab entry
# (Kerberos only)
#krb_caseins_users = off #krb_caseins_users = off
#krb_realm = ''
# - TCP Keepalives - # - TCP Keepalives -
# see "man 7 tcp" for details # see "man 7 tcp" for details