From 1b4e729eaa97b6169e08abc70e84709cea2cd00a Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Fri, 9 Jan 2009 10:13:19 +0000
Subject: [PATCH] Make krb_realm and krb_server_hostname be pg_hba options
only, and remove their GUCs.
In passing, noted that the pg_hba options for krb5 authentication weren't
listed at all - so add this.
---
doc/src/sgml/client-auth.sgml | 71 ++++++++++++++-----
doc/src/sgml/config.sgml | 36 +---------
src/backend/libpq/auth.c | 53 ++++----------
src/backend/utils/misc/guc.c | 21 +-----
src/backend/utils/misc/postgresql.conf.sample | 3 -
5 files changed, 72 insertions(+), 112 deletions(-)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index f5cc4729101..029bfd45661 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.117 2009/01/07 13:09:21 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.118 2009/01/09 10:13:18 mha Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
@@ -801,18 +801,8 @@ omicron bryanh guest1
<term>krb_realm</term>
<listitem>
<para>
- Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
- to verify the authenticated user principal against.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>krb_server_hostname</term>
- <listitem>
- <para>
- Overrides the <xref linkend="guc-krb-server-hostname"> parameter, setting which
- hostname will be used for the server principal when using Kerberos.
+ Sets the realm to match user principal names against. If this parameter
+ is not set, the realm of the user will be ignored.
</para>
</listitem>
</varlistentry>
@@ -874,8 +864,8 @@ omicron bryanh guest1
<term>krb_realm</term>
<listitem>
<para>
- Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
- to verify the authenticated user principal against.
+ Sets the realm to match user principal names against. If this parameter
+ is not set, the realm of the user will be ignored.
</para>
</listitem>
</varlistentry>
@@ -953,7 +943,7 @@ omicron bryanh guest1
<literal>pgusername@realm</>. By default, the realm of the client is
not checked by <productname>PostgreSQL</>. If you have cross-realm
authentication enabled and need to verify the realm, use the
- <xref linkend="guc-krb-realm"> parameter.
+ krb_realm parameter in <filename>pg_hba.conf</>.
</para>
<para>
@@ -996,6 +986,55 @@ omicron bryanh guest1
database access over the web, no extra passwords required.
</para>
+ <para>
+ The following configuration options are supported for <productname>Kerberos</productname>:
+ <variablelist>
+ <varlistentry>
+ <term>map</term>
+ <listitem>
+ <para>
+ Allows for mapping between system and database usernames. See
+ <xref linkend="auth-username-maps"> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>include_realm</term>
+ <listitem>
+ <para>
+ Include the realm name from the authenticated user principal. This is useful
+ in combination with Username maps (See <xref linkend="auth-username-maps">
+ for details), especially with regular expressions, to map users from
+ multiple realms.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb_realm</term>
+ <listitem>
+ <para>
+ Sets the realm to match user principal names against. If this parameter
+ is not set, the realm of the user will be ignored.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb_server_hostname</term>
+ <listitem>
+ <para>
+ Sets the host name part of the service principal.
+ This, combined with <varname>krb_srvname</>, is used to generate
+ the complete service principal, that is
+ <varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
+ If not set, the default is the server host name.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
</sect2>
<sect2 id="auth-ident">
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 564e5c0236c..0d8cf0a84cb 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.203 2009/01/07 22:40:48 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.204 2009/01/09 10:13:18 mha Exp $ -->
<chapter Id="runtime-config">
<title>Server Configuration</title>
@@ -612,22 +612,6 @@ SET ENABLE_SEQSCAN TO OFF;
</listitem>
</varlistentry>
- <varlistentry id="guc-krb-realm" xreflabel="krb_realm">
- <term><varname>krb_realm</varname> (<type>string</type>)</term>
- <indexterm>
- <primary><varname>krb_realm</> configuration parameter</primary>
- </indexterm>
- <listitem>
- <para>
- Sets the realm to match Kerberos, GSSAPI and SSPI user names against.
- See <xref linkend="kerberos-auth">, <xref linkend="gssapi-auth"> or
- <xref linkend="sspi-auth"> for details. This parameter can only be
- set in the <filename>postgresql.conf</> file or on the server
- command line.
- </para>
- </listitem>
- </varlistentry>
-
<varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
<term><varname>krb_server_keyfile</varname> (<type>string</type>)</term>
<indexterm>
@@ -657,24 +641,6 @@ SET ENABLE_SEQSCAN TO OFF;
</listitem>
</varlistentry>
- <varlistentry id="guc-krb-server-hostname" xreflabel="krb_server_hostname">
- <term><varname>krb_server_hostname</varname> (<type>string</type>)</term>
- <indexterm>
- <primary><varname>krb_server_hostname</> configuration parameter</primary>
- </indexterm>
- <listitem>
- <para>
- Sets the host name part of the service principal.
- This, combined with <varname>krb_srvname</>, is used to generate
- the complete service principal, that is
- <varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
- If not set, the default is the server host name. See <xref linkend="kerberos-auth">
- for details. This parameter can only be set in the <filename>postgresql.conf</>
- file or on the server command line.
- </para>
- </listitem>
- </varlistentry>
-
<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
<term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
<indexterm>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 4b5773ab881..f0561a5b969 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.177 2009/01/07 13:09:21 mha Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.178 2009/01/09 10:13:18 mha Exp $
*
*-------------------------------------------------------------------------
*/
@@ -129,8 +129,6 @@ static int CheckCertAuth(Port *port);
char *pg_krb_server_keyfile;
char *pg_krb_srvnam;
bool pg_krb_caseins_users;
-char *pg_krb_server_hostname = NULL;
-char *pg_krb_realm = NULL;
/*----------------------------------------------------------------
@@ -645,10 +643,7 @@ pg_krb5_init(Port *port)
* If no hostname was specified, pg_krb_server_hostname is already NULL.
* If it's set to blank, force it to NULL.
*/
- if (port->hba->krb_server_hostname)
- khostname = port->hba->krb_server_hostname;
- else
- khostname = pg_krb_server_hostname;
+ khostname = port->hba->krb_server_hostname;
if (khostname && khostname[0] == '\0')
khostname = NULL;
@@ -694,7 +689,6 @@ pg_krb5_recvauth(Port *port)
krb5_ticket *ticket;
char *kusername;
char *cp;
- char *realmmatch;
if (get_role_line(port->user_name) == NULL)
return STATUS_ERROR;
@@ -740,11 +734,6 @@ pg_krb5_recvauth(Port *port)
return STATUS_ERROR;
}
- if (port->hba->krb_realm)
- realmmatch = port->hba->krb_realm;
- else
- realmmatch = pg_krb_realm;
-
cp = strchr(kusername, '@');
if (cp)
{
@@ -757,19 +746,19 @@ pg_krb5_recvauth(Port *port)
*cp = '\0';
cp++;
- if (realmmatch != NULL && strlen(realmmatch))
+ if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
{
/* Match realm against configured */
if (pg_krb_caseins_users)
- ret = pg_strcasecmp(realmmatch, cp);
+ ret = pg_strcasecmp(port->hba->krb_realm, cp);
else
- ret = strcmp(realmmatch, cp);
+ ret = strcmp(port->hba->krb_realm, cp);
if (ret)
{
elog(DEBUG2,
"krb5 realm (%s) and configured realm (%s) don't match",
- cp, realmmatch);
+ cp, port->hba->krb_realm);
krb5_free_ticket(pg_krb5_context, ticket);
krb5_auth_con_free(pg_krb5_context, auth_context);
@@ -777,7 +766,7 @@ pg_krb5_recvauth(Port *port)
}
}
}
- else if (realmmatch && strlen(realmmatch))
+ else if (port->hba->krb_realm&& strlen(port->hba->krb_realm))
{
elog(DEBUG2,
"krb5 did not return realm but realm matching was requested");
@@ -874,7 +863,6 @@ pg_GSS_recvauth(Port *port)
int ret;
StringInfoData buf;
gss_buffer_desc gbuf;
- char *realmmatch;
/*
* GSS auth is not supported for protocol versions before 3, because it
@@ -1034,11 +1022,6 @@ pg_GSS_recvauth(Port *port)
gettext_noop("retrieving GSS user name failed"),
maj_stat, min_stat);
- if (port->hba->krb_realm)
- realmmatch = port->hba->krb_realm;
- else
- realmmatch = pg_krb_realm;
-
/*
* Split the username at the realm separator
*/
@@ -1055,28 +1038,28 @@ pg_GSS_recvauth(Port *port)
*cp = '\0';
cp++;
- if (realmmatch != NULL && strlen(realmmatch))
+ if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
{
/*
* Match the realm part of the name first
*/
if (pg_krb_caseins_users)
- ret = pg_strcasecmp(realmmatch, cp);
+ ret = pg_strcasecmp(port->hba->krb_realm, cp);
else
- ret = strcmp(realmmatch, cp);
+ ret = strcmp(port->hba->krb_realm, cp);
if (ret)
{
/* GSS realm does not match */
elog(DEBUG2,
"GSSAPI realm (%s) and configured realm (%s) don't match",
- cp, realmmatch);
+ cp, port->hba->krb_realm);
gss_release_buffer(&lmin_s, &gbuf);
return STATUS_ERROR;
}
}
}
- else if (realmmatch && strlen(realmmatch))
+ else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
{
elog(DEBUG2,
"GSSAPI did not return realm but realm matching was requested");
@@ -1140,7 +1123,6 @@ pg_SSPI_recvauth(Port *port)
SID_NAME_USE accountnameuse;
HMODULE secur32;
QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
- char *realmmatch;
/*
* SSPI auth is not supported for protocol versions before 3, because it
@@ -1353,18 +1335,13 @@ pg_SSPI_recvauth(Port *port)
* Compare realm/domain if requested. In SSPI, always compare case
* insensitive.
*/
- if (port->hba->krb_realm)
- realmmatch = port->hba->krb_realm;
- else
- realmmatch = pg_krb_realm;
-
- if (realmmatch && strlen(realmmatch))
+ if (port->hba->krb_realm && strlen(port->hba->krb_realm))
{
- if (pg_strcasecmp(realmmatch, domainname))
+ if (pg_strcasecmp(port->hba->krb_realm, domainname))
{
elog(DEBUG2,
"SSPI domain (%s) and configured domain (%s) don't match",
- domainname, realmmatch);
+ domainname, port->hba->krb_realm);
return STATUS_ERROR;
}
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 22cfbff6105..8d927ae1387 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -10,7 +10,7 @@
* Written by Peter Eisentraut <peter_e@gmx.net>.
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.491 2009/01/07 22:40:49 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.492 2009/01/09 10:13:18 mha Exp $
*
*--------------------------------------------------------------------
*/
@@ -2130,16 +2130,6 @@ static struct config_string ConfigureNamesString[] =
"$libdir", NULL, NULL
},
- {
- {"krb_realm", PGC_SIGHUP, CONN_AUTH_SECURITY,
- gettext_noop("Sets realm to match Kerberos and GSSAPI users against."),
- NULL,
- GUC_SUPERUSER_ONLY
- },
- &pg_krb_realm,
- NULL, NULL, NULL
- },
-
{
{"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY,
gettext_noop("Sets the location of the Kerberos server key file."),
@@ -2159,15 +2149,6 @@ static struct config_string ConfigureNamesString[] =
PG_KRB_SRVNAM, NULL, NULL
},
- {
- {"krb_server_hostname", PGC_SIGHUP, CONN_AUTH_SECURITY,
- gettext_noop("Sets the hostname of the Kerberos server."),
- NULL
- },
- &pg_krb_server_hostname,
- NULL, NULL, NULL
- },
-
{
{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Sets the Bonjour broadcast service name."),
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index d53861511ae..ffa5055b768 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -81,10 +81,7 @@
# Kerberos and GSSAPI
#krb_server_keyfile = ''
#krb_srvname = 'postgres' # (Kerberos only)
-#krb_server_hostname = '' # empty string matches any keytab entry
- # (Kerberos only)
#krb_caseins_users = off
-#krb_realm = ''
# - TCP Keepalives -
# see "man 7 tcp" for details
--
GitLab