-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
pgwire: support hba.conf auth configuration
The upcoming GSSAPI support requires that we have configurable authentication. Today, pgwire auth uses certs if a client has a TLS client cert, otherwise it uses a password. Adding GSSAPI as a third kind of login forces us to allow administrators to configure how their auth should function. Postgres already has a well documented and straightforward pg_hba.conf specification. We have chosen to implement some of it in order to make transition easy, and because it is a good format. The hba package is a hba.conf file parser. The parser is implemented in ragel which is a state machine generator from regular expressions to actions. This format is complicated enough that writing a parser by hand (due to, for example, the different kinds of strings and IP addresses) is annoying, and ragel is able to accomplish that work with a simpler format. It is not hooked up to the Makefile so it is possible the .rl file could be out-of-sync with its generated .go file, but we don't expect this file to change often and that is an acceptable risk. A new cluster setting "server.hba_conf" has been added. The default (empty string) preserves the old behavior of cert-then-password. We have some differences from Postgres' hba.conf (although we can easily expand to support more as needed). We only support the 'host' connection method and database must be 'all' (since our database security mechanism is somewhat different than postgres'. We do not support the @ or + modifiers. Addresses must be IPs, or 'all', but arbitrary hostnames or domains are unsupported. The auth methods we support are cert and password which work the same as postgres. In addition, the cert-password method does the cockroach default of cert-then-password. Thus, "host all all all cert-password" is a configuration that is identical to our unchanged default auth method. Root is hard coded to require a certificate, preventing users from ever setting a hba.conf file accidentally preventing all logins. Release note (sql change): add support for configuring authentication via a hba.conf cluster setting.
- Loading branch information
Showing
10 changed files
with
3,208 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
conf.go: conf.rl | ||
# Use of -T0 here produces the smallest amount of generated code. We | ||
# don't care about parsing performance so optimize instead for small files | ||
# and fast compilations. | ||
ragel -Z -T0 conf.rl -o conf.go | ||
(echo "// Code generated by ragel. DO NOT EDIT."; \ | ||
echo "// GENERATED FILE DO NOT EDIT"; \ | ||
cat conf.go) > conf.go.tmp | ||
mv conf.go.tmp conf.go | ||
../../../../bin/gofmt -w -s conf.go | ||
../../../../bin/goimports -w conf.go |
Oops, something went wrong.