rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Split out documentation of SSL parameters into their own section 

Split the "Authentication and Security" section into two separate
sections "Authentication" and "SSL".  The latter part has gotten much
longer over time, and doesn't primarily have to do with authentication.

Also, the row_security parameter was inconsistently categorized, so
clean that up while we're here.
This commit is contained in:
Peter Eisentraut 2018-01-18 19:12:05 -05:00
parent f5da5683a8
commit 7404e77cc1
4 changed files with 166 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

233
doc/src/sgml/config.sgml
View File

@ -924,8 +924,9 @@ include_dir 'conf.d'
</variablelist> </variablelist>
</sect2> </sect2>
<sect2 id="runtime-config-connection-security">
<title>Security and Authentication</title> <sect2 id="runtime-config-connection-authentication">
<title>Authentication</title>
<variablelist> <variablelist>
<varlistentry id="guc-authentication-timeout" xreflabel="authentication_timeout"> <varlistentry id="guc-authentication-timeout" xreflabel="authentication_timeout">
@ -950,6 +951,123 @@ include_dir 'conf.d'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry id="guc-password-encryption" xreflabel="password_encryption">
<term><varname>password_encryption</varname> (<type>enum</type>)
<indexterm>
<primary><varname>password_encryption</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
When a password is specified in <xref linkend="sql-createrole"/> or
<xref linkend="sql-alterrole"/>, this parameter determines the algorithm
to use to encrypt the password. The default value is <literal>md5</literal>,
which stores the password as an MD5 hash (<literal>on</literal> is also
accepted, as alias for <literal>md5</literal>). Setting this parameter to
<literal>scram-sha-256</literal> will encrypt the password with SCRAM-SHA-256.
</para>
<para>
Note that older clients might lack support for the SCRAM authentication
mechanism, and hence not work with passwords encrypted with
SCRAM-SHA-256. See <xref linkend="auth-password"/> for more details.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
<term><varname>krb_server_keyfile</varname> (<type>string</type>)
<indexterm>
<primary><varname>krb_server_keyfile</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
Sets the location of the Kerberos server key file. See
<xref linkend="gssapi-auth"/>
for details. This parameter can only be set in the
<filename>postgresql.conf</filename> file or on the server command line.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
<term><varname>krb_caseins_users</varname> (<type>boolean</type>)
<indexterm>
<primary><varname>krb_caseins_users</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
Sets whether GSSAPI user names should be treated
case-insensitively.
The default is <literal>off</literal> (case sensitive). This parameter can only be
set in the <filename>postgresql.conf</filename> file or on the server command line.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
<term><varname>db_user_namespace</varname> (<type>boolean</type>)
<indexterm>
<primary><varname>db_user_namespace</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
This parameter enables per-database user names. It is off by default.
This parameter can only be set in the <filename>postgresql.conf</filename>
file or on the server command line.
</para>
<para>
If this is on, you should create users as <replaceable>username@dbname</replaceable>.
When <replaceable>username</replaceable> is passed by a connecting client,
<literal>@</literal> and the database name are appended to the user
name and that database-specific user name is looked up by the
server. Note that when you create users with names containing
<literal>@</literal> within the SQL environment, you will need to
quote the user name.
</para>
<para>
With this parameter enabled, you can still create ordinary global
users. Simply append <literal>@</literal> when specifying the user
name in the client, e.g. <literal>joe@</literal>. The <literal>@</literal>
will be stripped off before the user name is looked up by the
server.
</para>
<para>
<varname>db_user_namespace</varname> causes the client's and
server's user name representation to differ.
Authentication checks are always done with the server's user name
so authentication methods must be configured for the
server's user name, not the client's. Because
<literal>md5</literal> uses the user name as salt on both the
client and server, <literal>md5</literal> cannot be used with
<varname>db_user_namespace</varname>.
</para>
<note>
<para>
This feature is intended as a temporary measure until a
complete solution is found. At that time, this option will
be removed.
</para>
</note>
</listitem>
</varlistentry>
</variablelist>
</sect2>
<sect2 id="runtime-config-connection-ssl">
<title>SSL</title>
<para>
See <xref linkend="ssl-tcp"/> for more information about setting up SSL.
</para>
<variablelist>
<varlistentry id="guc-ssl" xreflabel="ssl"> <varlistentry id="guc-ssl" xreflabel="ssl">
<term><varname>ssl</varname> (<type>boolean</type>) <term><varname>ssl</varname> (<type>boolean</type>)
<indexterm> <indexterm>
@ -958,8 +1076,7 @@ include_dir 'conf.d'
</term> </term>
<listitem> <listitem>
<para> <para>
Enables <acronym>SSL</acronym> connections. Please read Enables <acronym>SSL</acronym> connections.
<xref linkend="ssl-tcp"/> before using this.
This parameter can only be set in the <filename>postgresql.conf</filename> This parameter can only be set in the <filename>postgresql.conf</filename>
file or on the server command line. file or on the server command line.
The default is <literal>off</literal>. The default is <literal>off</literal>.
@ -1172,29 +1289,6 @@ include_dir 'conf.d'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry id="guc-password-encryption" xreflabel="password_encryption">
<term><varname>password_encryption</varname> (<type>enum</type>)
<indexterm>
<primary><varname>password_encryption</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
When a password is specified in <xref linkend="sql-createrole"/> or
<xref linkend="sql-alterrole"/>, this parameter determines the algorithm
to use to encrypt the password. The default value is <literal>md5</literal>,
which stores the password as an MD5 hash (<literal>on</literal> is also
accepted, as alias for <literal>md5</literal>). Setting this parameter to
<literal>scram-sha-256</literal> will encrypt the password with SCRAM-SHA-256.
</para>
<para>
Note that older clients might lack support for the SCRAM authentication
mechanism, and hence not work with passwords encrypted with
SCRAM-SHA-256. See <xref linkend="auth-password"/> for more details.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-ssl-dh-params-file" xreflabel="ssl_dh_params_file"> <varlistentry id="guc-ssl-dh-params-file" xreflabel="ssl_dh_params_file">
<term><varname>ssl_dh_params_file</varname> (<type>string</type>) <term><varname>ssl_dh_params_file</varname> (<type>string</type>)
<indexterm> <indexterm>
@ -1218,91 +1312,6 @@ include_dir 'conf.d'
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
<term><varname>krb_server_keyfile</varname> (<type>string</type>)
<indexterm>
<primary><varname>krb_server_keyfile</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
Sets the location of the Kerberos server key file. See
<xref linkend="gssapi-auth"/>
for details. This parameter can only be set in the
<filename>postgresql.conf</filename> file or on the server command line.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
<term><varname>krb_caseins_users</varname> (<type>boolean</type>)
<indexterm>
<primary><varname>krb_caseins_users</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
Sets whether GSSAPI user names should be treated
case-insensitively.
The default is <literal>off</literal> (case sensitive). This parameter can only be
set in the <filename>postgresql.conf</filename> file or on the server command line.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
<term><varname>db_user_namespace</varname> (<type>boolean</type>)
<indexterm>
<primary><varname>db_user_namespace</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
This parameter enables per-database user names. It is off by default.
This parameter can only be set in the <filename>postgresql.conf</filename>
file or on the server command line.
</para>
<para>
If this is on, you should create users as <replaceable>username@dbname</replaceable>.
When <replaceable>username</replaceable> is passed by a connecting client,
<literal>@</literal> and the database name are appended to the user
name and that database-specific user name is looked up by the
server. Note that when you create users with names containing
<literal>@</literal> within the SQL environment, you will need to
quote the user name.
</para>
<para>
With this parameter enabled, you can still create ordinary global
users. Simply append <literal>@</literal> when specifying the user
name in the client, e.g. <literal>joe@</literal>. The <literal>@</literal>
will be stripped off before the user name is looked up by the
server.
</para>
<para>
<varname>db_user_namespace</varname> causes the client's and
server's user name representation to differ.
Authentication checks are always done with the server's user name
so authentication methods must be configured for the
server's user name, not the client's. Because
<literal>md5</literal> uses the user name as salt on both the
client and server, <literal>md5</literal> cannot be used with
<varname>db_user_namespace</varname>.
</para>
<note>
<para>
This feature is intended as a temporary measure until a
complete solution is found. At that time, this option will
be removed.
</para>
</note>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</sect2> </sect2>
</sect1> </sect1>

38
src/backend/utils/misc/guc.c
View File

@ -573,8 +573,10 @@ const char *const config_group_names[] =
gettext_noop("Connections and Authentication"), gettext_noop("Connections and Authentication"),
/* CONN_AUTH_SETTINGS */ /* CONN_AUTH_SETTINGS */
gettext_noop("Connections and Authentication / Connection Settings"), gettext_noop("Connections and Authentication / Connection Settings"),
/* CONN_AUTH_SECURITY */ /* CONN_AUTH_AUTH */
gettext_noop("Connections and Authentication / Security and Authentication"), gettext_noop("Connections and Authentication / Authentication"),
/* CONN_AUTH_SSL */
gettext_noop("Connections and Authentication / SSL"),
/* RESOURCES */ /* RESOURCES */
gettext_noop("Resource Usage"), gettext_noop("Resource Usage"),
/* RESOURCES_MEM */ /* RESOURCES_MEM */
@ -978,7 +980,7 @@ static struct config_bool ConfigureNamesBool[] =
NULL, NULL, NULL NULL, NULL, NULL
}, },
{ {
{"ssl", PGC_SIGHUP, CONN_AUTH_SECURITY, {"ssl", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Enables SSL connections."), gettext_noop("Enables SSL connections."),
NULL NULL
}, },
@ -987,7 +989,7 @@ static struct config_bool ConfigureNamesBool[] =
check_ssl, NULL, NULL check_ssl, NULL, NULL
}, },
{ {
{"ssl_prefer_server_ciphers", PGC_SIGHUP, CONN_AUTH_SECURITY, {"ssl_prefer_server_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Give priority to server ciphersuite order."), gettext_noop("Give priority to server ciphersuite order."),
NULL NULL
}, },
@ -1378,7 +1380,7 @@ static struct config_bool ConfigureNamesBool[] =
NULL, NULL, NULL NULL, NULL, NULL
}, },
{ {
{"db_user_namespace", PGC_SIGHUP, CONN_AUTH_SECURITY, {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Enables per-database user names."), gettext_noop("Enables per-database user names."),
NULL NULL
}, },
@ -1425,7 +1427,7 @@ static struct config_bool ConfigureNamesBool[] =
check_transaction_deferrable, NULL, NULL check_transaction_deferrable, NULL, NULL
}, },
{ {
{"row_security", PGC_USERSET, CONN_AUTH_SECURITY, {"row_security", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Enable row security."), gettext_noop("Enable row security."),
gettext_noop("When enabled, row security will be applied to all users.") gettext_noop("When enabled, row security will be applied to all users.")
}, },
@ -1548,7 +1550,7 @@ static struct config_bool ConfigureNamesBool[] =
}, },
{ {
{"krb_caseins_users", PGC_SIGHUP, CONN_AUTH_SECURITY, {"krb_caseins_users", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Sets whether Kerberos and GSSAPI user names should be treated as case-insensitive."), gettext_noop("Sets whether Kerberos and GSSAPI user names should be treated as case-insensitive."),
NULL NULL
}, },
@ -2247,7 +2249,7 @@ static struct config_int ConfigureNamesInt[] =
}, },
{ {
{"authentication_timeout", PGC_SIGHUP, CONN_AUTH_SECURITY, {"authentication_timeout", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Sets the maximum allowed time to complete client authentication."), gettext_noop("Sets the maximum allowed time to complete client authentication."),
NULL, NULL,
GUC_UNIT_S GUC_UNIT_S
@ -2797,7 +2799,7 @@ static struct config_int ConfigureNamesInt[] =
}, },
{ {
{"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY, {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SSL,
gettext_noop("SSL renegotiation is no longer supported; this can only be 0."), gettext_noop("SSL renegotiation is no longer supported; this can only be 0."),
NULL, NULL,
GUC_NO_SHOW_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE, GUC_NO_SHOW_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE,
@ -3170,7 +3172,7 @@ static struct config_string ConfigureNamesString[] =
}, },
{ {
{"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY, {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Sets the location of the Kerberos server key file."), gettext_noop("Sets the location of the Kerberos server key file."),
NULL, NULL,
GUC_SUPERUSER_ONLY GUC_SUPERUSER_ONLY
@ -3530,7 +3532,7 @@ static struct config_string ConfigureNamesString[] =
}, },
{ {
{"ssl_cert_file", PGC_SIGHUP, CONN_AUTH_SECURITY, {"ssl_cert_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL server certificate file."), gettext_noop("Location of the SSL server certificate file."),
NULL NULL
}, },
@ -3540,7 +3542,7 @@ static struct config_string ConfigureNamesString[] =
}, },
{ {
{"ssl_key_file", PGC_SIGHUP, CONN_AUTH_SECURITY, {"ssl_key_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL server private key file."), gettext_noop("Location of the SSL server private key file."),
NULL NULL
}, },
@ -3550,7 +3552,7 @@ static struct config_string ConfigureNamesString[] =
}, },
{ {
{"ssl_ca_file", PGC_SIGHUP, CONN_AUTH_SECURITY, {"ssl_ca_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL certificate authority file."), gettext_noop("Location of the SSL certificate authority file."),
NULL NULL
}, },
@ -3560,7 +3562,7 @@ static struct config_string ConfigureNamesString[] =
}, },
{ {
{"ssl_crl_file", PGC_SIGHUP, CONN_AUTH_SECURITY, {"ssl_crl_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL certificate revocation list file."), gettext_noop("Location of the SSL certificate revocation list file."),
NULL NULL
}, },
@ -3602,7 +3604,7 @@ static struct config_string ConfigureNamesString[] =
}, },
{ {
{"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SECURITY, {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Sets the list of allowed SSL ciphers."), gettext_noop("Sets the list of allowed SSL ciphers."),
NULL, NULL,
GUC_SUPERUSER_ONLY GUC_SUPERUSER_ONLY
@ -3617,7 +3619,7 @@ static struct config_string ConfigureNamesString[] =
}, },
{ {
{"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SECURITY, {"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Sets the curve to use for ECDH."), gettext_noop("Sets the curve to use for ECDH."),
NULL, NULL,
GUC_SUPERUSER_ONLY GUC_SUPERUSER_ONLY
@ -3632,7 +3634,7 @@ static struct config_string ConfigureNamesString[] =
}, },
{ {
{"ssl_dh_params_file", PGC_SIGHUP, CONN_AUTH_SECURITY, {"ssl_dh_params_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL DH parameters file."), gettext_noop("Location of the SSL DH parameters file."),
NULL, NULL,
GUC_SUPERUSER_ONLY GUC_SUPERUSER_ONLY
@ -3932,7 +3934,7 @@ static struct config_enum ConfigureNamesEnum[] =
}, },
{ {
{"password_encryption", PGC_USERSET, CONN_AUTH_SECURITY, {"password_encryption", PGC_USERSET, CONN_AUTH_AUTH,
gettext_noop("Encrypt passwords."), gettext_noop("Encrypt passwords."),
gettext_noop("When a password is specified in CREATE USER or " gettext_noop("When a password is specified in CREATE USER or "
"ALTER USER without writing either ENCRYPTED or UNENCRYPTED, " "ALTER USER without writing either ENCRYPTED or UNENCRYPTED, "

43
src/backend/utils/misc/postgresql.conf.sample
View File

@ -73,26 +73,6 @@
#bonjour_name = '' # defaults to the computer name #bonjour_name = '' # defaults to the computer name
# (change requires restart) # (change requires restart)
# - Security and Authentication -
#authentication_timeout = 1min # 1s-600s
#ssl = off
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_dh_params_file = ''
#ssl_cert_file = 'server.crt'
#ssl_key_file = 'server.key'
#ssl_ca_file = ''
#ssl_crl_file = ''
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
#row_security = on
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - TCP Keepalives - # - TCP Keepalives -
# see "man 7 tcp" for details # see "man 7 tcp" for details
@ -103,6 +83,28 @@
#tcp_keepalives_count = 0 # TCP_KEEPCNT; #tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default # 0 selects the system default
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - SSL -
#ssl = off
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_dh_params_file = ''
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL) # RESOURCE USAGE (except WAL)
@ -543,6 +545,7 @@
# - Statement Behavior - # - Statement Behavior -
#search_path = '"$user", public' # schema names #search_path = '"$user", public' # schema names
#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default #default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses #temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace # only default tablespace

3
src/include/utils/guc_tables.h
View File

@ -56,7 +56,8 @@ enum config_group
FILE_LOCATIONS, FILE_LOCATIONS,
CONN_AUTH, CONN_AUTH,
CONN_AUTH_SETTINGS, CONN_AUTH_SETTINGS,
CONN_AUTH_SECURITY, CONN_AUTH_AUTH,
CONN_AUTH_SSL,
RESOURCES, RESOURCES,
RESOURCES_MEM, RESOURCES_MEM,
RESOURCES_DISK, RESOURCES_DISK,