From 7404e77cc1192855afef28ae557993ba6f35c16e Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Thu, 18 Jan 2018 19:12:05 -0500 Subject: [PATCH] Split out documentation of SSL parameters into their own section Split the "Authentication and Security" section into two separate sections "Authentication" and "SSL". The latter part has gotten much longer over time, and doesn't primarily have to do with authentication. Also, the row_security parameter was inconsistently categorized, so clean that up while we're here. --- doc/src/sgml/config.sgml | 233 +++++++++--------- src/backend/utils/misc/guc.c | 38 +-- src/backend/utils/misc/postgresql.conf.sample | 43 ++-- src/include/utils/guc_tables.h | 3 +- 4 files changed, 166 insertions(+), 151 deletions(-) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 31eaacfc4f..45b2af14eb 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -924,8 +924,9 @@ include_dir 'conf.d' - - Security and Authentication + + + Authentication @@ -950,6 +951,123 @@ include_dir 'conf.d' + + password_encryption (enum) + + password_encryption configuration parameter + + + + + When a password is specified in or + , this parameter determines the algorithm + to use to encrypt the password. The default value is md5, + which stores the password as an MD5 hash (on is also + accepted, as alias for md5). Setting this parameter to + scram-sha-256 will encrypt the password with SCRAM-SHA-256. + + + Note that older clients might lack support for the SCRAM authentication + mechanism, and hence not work with passwords encrypted with + SCRAM-SHA-256. See for more details. + + + + + + krb_server_keyfile (string) + + krb_server_keyfile configuration parameter + + + + + Sets the location of the Kerberos server key file. See + + for details. This parameter can only be set in the + postgresql.conf file or on the server command line. + + + + + + krb_caseins_users (boolean) + + krb_caseins_users configuration parameter + + + + + Sets whether GSSAPI user names should be treated + case-insensitively. + The default is off (case sensitive). This parameter can only be + set in the postgresql.conf file or on the server command line. + + + + + + db_user_namespace (boolean) + + db_user_namespace configuration parameter + + + + + This parameter enables per-database user names. It is off by default. + This parameter can only be set in the postgresql.conf + file or on the server command line. + + + + If this is on, you should create users as username@dbname. + When username is passed by a connecting client, + @ and the database name are appended to the user + name and that database-specific user name is looked up by the + server. Note that when you create users with names containing + @ within the SQL environment, you will need to + quote the user name. + + + + With this parameter enabled, you can still create ordinary global + users. Simply append @ when specifying the user + name in the client, e.g. joe@. The @ + will be stripped off before the user name is looked up by the + server. + + + + db_user_namespace causes the client's and + server's user name representation to differ. + Authentication checks are always done with the server's user name + so authentication methods must be configured for the + server's user name, not the client's. Because + md5 uses the user name as salt on both the + client and server, md5 cannot be used with + db_user_namespace. + + + + + This feature is intended as a temporary measure until a + complete solution is found. At that time, this option will + be removed. + + + + + + + + + SSL + + + See for more information about setting up SSL. + + + ssl (boolean) @@ -958,8 +1076,7 @@ include_dir 'conf.d' - Enables SSL connections. Please read - before using this. + Enables SSL connections. This parameter can only be set in the postgresql.conf file or on the server command line. The default is off. @@ -1172,29 +1289,6 @@ include_dir 'conf.d' - - password_encryption (enum) - - password_encryption configuration parameter - - - - - When a password is specified in or - , this parameter determines the algorithm - to use to encrypt the password. The default value is md5, - which stores the password as an MD5 hash (on is also - accepted, as alias for md5). Setting this parameter to - scram-sha-256 will encrypt the password with SCRAM-SHA-256. - - - Note that older clients might lack support for the SCRAM authentication - mechanism, and hence not work with passwords encrypted with - SCRAM-SHA-256. See for more details. - - - - ssl_dh_params_file (string) @@ -1218,91 +1312,6 @@ include_dir 'conf.d' - - - krb_server_keyfile (string) - - krb_server_keyfile configuration parameter - - - - - Sets the location of the Kerberos server key file. See - - for details. This parameter can only be set in the - postgresql.conf file or on the server command line. - - - - - - krb_caseins_users (boolean) - - krb_caseins_users configuration parameter - - - - - Sets whether GSSAPI user names should be treated - case-insensitively. - The default is off (case sensitive). This parameter can only be - set in the postgresql.conf file or on the server command line. - - - - - - db_user_namespace (boolean) - - db_user_namespace configuration parameter - - - - - This parameter enables per-database user names. It is off by default. - This parameter can only be set in the postgresql.conf - file or on the server command line. - - - - If this is on, you should create users as username@dbname. - When username is passed by a connecting client, - @ and the database name are appended to the user - name and that database-specific user name is looked up by the - server. Note that when you create users with names containing - @ within the SQL environment, you will need to - quote the user name. - - - - With this parameter enabled, you can still create ordinary global - users. Simply append @ when specifying the user - name in the client, e.g. joe@. The @ - will be stripped off before the user name is looked up by the - server. - - - - db_user_namespace causes the client's and - server's user name representation to differ. - Authentication checks are always done with the server's user name - so authentication methods must be configured for the - server's user name, not the client's. Because - md5 uses the user name as salt on both the - client and server, md5 cannot be used with - db_user_namespace. - - - - - This feature is intended as a temporary measure until a - complete solution is found. At that time, this option will - be removed. - - - - - diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index d03ba234b5..5884fa905e 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -573,8 +573,10 @@ const char *const config_group_names[] = gettext_noop("Connections and Authentication"), /* CONN_AUTH_SETTINGS */ gettext_noop("Connections and Authentication / Connection Settings"), - /* CONN_AUTH_SECURITY */ - gettext_noop("Connections and Authentication / Security and Authentication"), + /* CONN_AUTH_AUTH */ + gettext_noop("Connections and Authentication / Authentication"), + /* CONN_AUTH_SSL */ + gettext_noop("Connections and Authentication / SSL"), /* RESOURCES */ gettext_noop("Resource Usage"), /* RESOURCES_MEM */ @@ -978,7 +980,7 @@ static struct config_bool ConfigureNamesBool[] = NULL, NULL, NULL }, { - {"ssl", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Enables SSL connections."), NULL }, @@ -987,7 +989,7 @@ static struct config_bool ConfigureNamesBool[] = check_ssl, NULL, NULL }, { - {"ssl_prefer_server_ciphers", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_prefer_server_ciphers", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Give priority to server ciphersuite order."), NULL }, @@ -1378,7 +1380,7 @@ static struct config_bool ConfigureNamesBool[] = NULL, NULL, NULL }, { - {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH, gettext_noop("Enables per-database user names."), NULL }, @@ -1425,7 +1427,7 @@ static struct config_bool ConfigureNamesBool[] = check_transaction_deferrable, NULL, NULL }, { - {"row_security", PGC_USERSET, CONN_AUTH_SECURITY, + {"row_security", PGC_USERSET, CLIENT_CONN_STATEMENT, gettext_noop("Enable row security."), gettext_noop("When enabled, row security will be applied to all users.") }, @@ -1548,7 +1550,7 @@ static struct config_bool ConfigureNamesBool[] = }, { - {"krb_caseins_users", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"krb_caseins_users", PGC_SIGHUP, CONN_AUTH_AUTH, gettext_noop("Sets whether Kerberos and GSSAPI user names should be treated as case-insensitive."), NULL }, @@ -2247,7 +2249,7 @@ static struct config_int ConfigureNamesInt[] = }, { - {"authentication_timeout", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"authentication_timeout", PGC_SIGHUP, CONN_AUTH_AUTH, gettext_noop("Sets the maximum allowed time to complete client authentication."), NULL, GUC_UNIT_S @@ -2797,7 +2799,7 @@ static struct config_int ConfigureNamesInt[] = }, { - {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY, + {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SSL, gettext_noop("SSL renegotiation is no longer supported; this can only be 0."), NULL, GUC_NO_SHOW_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE, @@ -3170,7 +3172,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_AUTH, gettext_noop("Sets the location of the Kerberos server key file."), NULL, GUC_SUPERUSER_ONLY @@ -3530,7 +3532,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_cert_file", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_cert_file", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Location of the SSL server certificate file."), NULL }, @@ -3540,7 +3542,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_key_file", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_key_file", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Location of the SSL server private key file."), NULL }, @@ -3550,7 +3552,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_ca_file", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_ca_file", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Location of the SSL certificate authority file."), NULL }, @@ -3560,7 +3562,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_crl_file", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_crl_file", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Location of the SSL certificate revocation list file."), NULL }, @@ -3602,7 +3604,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Sets the list of allowed SSL ciphers."), NULL, GUC_SUPERUSER_ONLY @@ -3617,7 +3619,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Sets the curve to use for ECDH."), NULL, GUC_SUPERUSER_ONLY @@ -3632,7 +3634,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_dh_params_file", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_dh_params_file", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Location of the SSL DH parameters file."), NULL, GUC_SUPERUSER_ONLY @@ -3932,7 +3934,7 @@ static struct config_enum ConfigureNamesEnum[] = }, { - {"password_encryption", PGC_USERSET, CONN_AUTH_SECURITY, + {"password_encryption", PGC_USERSET, CONN_AUTH_AUTH, gettext_noop("Encrypt passwords."), gettext_noop("When a password is specified in CREATE USER or " "ALTER USER without writing either ENCRYPTED or UNENCRYPTED, " diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 69f40f04b0..abffde6b2b 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -73,26 +73,6 @@ #bonjour_name = '' # defaults to the computer name # (change requires restart) -# - Security and Authentication - - -#authentication_timeout = 1min # 1s-600s -#ssl = off -#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers -#ssl_prefer_server_ciphers = on -#ssl_ecdh_curve = 'prime256v1' -#ssl_dh_params_file = '' -#ssl_cert_file = 'server.crt' -#ssl_key_file = 'server.key' -#ssl_ca_file = '' -#ssl_crl_file = '' -#password_encryption = md5 # md5 or scram-sha-256 -#db_user_namespace = off -#row_security = on - -# GSSAPI using Kerberos -#krb_server_keyfile = '' -#krb_caseins_users = off - # - TCP Keepalives - # see "man 7 tcp" for details @@ -103,6 +83,28 @@ #tcp_keepalives_count = 0 # TCP_KEEPCNT; # 0 selects the system default +# - Authentication - + +#authentication_timeout = 1min # 1s-600s +#password_encryption = md5 # md5 or scram-sha-256 +#db_user_namespace = off + +# GSSAPI using Kerberos +#krb_server_keyfile = '' +#krb_caseins_users = off + +# - SSL - + +#ssl = off +#ssl_ca_file = '' +#ssl_cert_file = 'server.crt' +#ssl_crl_file = '' +#ssl_key_file = 'server.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_dh_params_file = '' + #------------------------------------------------------------------------------ # RESOURCE USAGE (except WAL) @@ -543,6 +545,7 @@ # - Statement Behavior - #search_path = '"$user", public' # schema names +#row_security = on #default_tablespace = '' # a tablespace name, '' uses the default #temp_tablespaces = '' # a list of tablespace names, '' uses # only default tablespace diff --git a/src/include/utils/guc_tables.h b/src/include/utils/guc_tables.h index 04de6a383a..668d9efd35 100644 --- a/src/include/utils/guc_tables.h +++ b/src/include/utils/guc_tables.h @@ -56,7 +56,8 @@ enum config_group FILE_LOCATIONS, CONN_AUTH, CONN_AUTH_SETTINGS, - CONN_AUTH_SECURITY, + CONN_AUTH_AUTH, + CONN_AUTH_SSL, RESOURCES, RESOURCES_MEM, RESOURCES_DISK,