On 20.04.2018 03:14, Tatsuo Ishii wrote:
On Fri, Apr 20, 2018 at 07:58:00AM +0900, Tatsuo Ishii wrote:
Yeah. Since SCRAM auth is implemented, some connection poolers
including Pgpool-II are struggling to adopt it.
Er, well. pgpool is also taking advantage of MD5 weaknesses... While
SCRAM fixes this class of problems, and channel binding actually makes
this harder for poolers to deal with.
One of Pgpool-II developers Usama are working hard to re-implement
SCRAM auth for upcoming Pgpool-II 4.0: i.e. storing passwords (of
course in some encrypted form) in Pgpool-II.
Just want to notice that authentication is are where I have completely
no experience.
So any suggestions or helpĀ in developing right authentication mechanism
for built-in connection pooling is welcome.
Right authentication of pooled session by shared backend is performed in
the same way as by normal (dedicated) Postgres backend.
Postmaster just transfer accepted socket to one of the workers
(backends) and it performs authentication in normal way.
It actually means that all sessions scheduled to the same worker should
access the same database under the same user.
Accepting connections to different databases/users right now is
supported by making it possible to create several session pools and
binding each session pool to its own port at which postmaster will
accept connections to this page pool.
As alternative approach I considered spawning separate "authentication"
process (or do it in postmaster), which will process startup package and
only after it schedule session to one of the workers. But such policy is
much more difficult to implement and it is unclear how to map
database/user pairs to worker backends.
--
Konstantin Knizhnik
Postgres Professional: http://www.postgrespro.com
The Russian Postgres Company
