* Ian Pilcher (arequip...@gmail.com) wrote: > On 12/02/2013 02:29 PM, Andrew Dunstan wrote: > > Wouldn't that amount to only partially trusting the root? It seems kinda > > odd. In any case, It's not something I think Postgres needs to solve. > > I think that the fundamental problem is that authentication and > authorization are being conflated. From the OpenSSL point-of-view, it > is checking that the client certificate is valid (not expired, signed by > a trusted chain of CAs, etc.); i.e. it's only doing authentication.
Of course. > PostgreSQL is trusting any client certificate that is validated by > OpenSSL. It's essentially trusting OpenSSL to do both authentication > and authorization, but OpenSSL isn't doing the latter. That isn't at *all* accurate. Authorization is handled by pg_ident and PG's role and grant system. We are only using OpenSSL's trust of the certificate for authentication. > Does PostgreSQL need to solve this? I don't know, but it certainly > would be a nice capability to have -- if only to avoid the confusion > that currently surrounds the issue. I have no idea what you're getting at here. Thanks, Stephen
Description: Digital signature