]> granicus.if.org Git - postgresql/commitdiff
Make krb_realm and krb_server_hostname be pg_hba options only, and remove
authorMagnus Hagander <magnus@hagander.net>
Fri, 9 Jan 2009 10:13:19 +0000 (10:13 +0000)
committerMagnus Hagander <magnus@hagander.net>
Fri, 9 Jan 2009 10:13:19 +0000 (10:13 +0000)
their GUCs.

In passing, noted that the pg_hba options for krb5 authentication weren't
listed at all - so add this.

doc/src/sgml/client-auth.sgml
doc/src/sgml/config.sgml
src/backend/libpq/auth.c
src/backend/utils/misc/guc.c
src/backend/utils/misc/postgresql.conf.sample

index f5cc4729101bcb91a8e00a04449a23654f3fdd49..029bfd4566155ee51240c70fc1dd4fdf23e83b0b 100644 (file)
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.117 2009/01/07 13:09:21 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.118 2009/01/09 10:13:18 mha Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -801,18 +801,8 @@ omicron       bryanh            guest1
       <term>krb_realm</term>
       <listitem>
        <para>
-        Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
-        to verify the authenticated user principal against.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
-      <term>krb_server_hostname</term>
-      <listitem>
-       <para>
-        Overrides the <xref linkend="guc-krb-server-hostname"> parameter, setting which
-        hostname will be used for the server principal when using Kerberos.
+        Sets the realm to match user principal names against. If this parameter
+        is not set, the realm of the user will be ignored.
        </para>
       </listitem>
      </varlistentry>
@@ -874,8 +864,8 @@ omicron       bryanh            guest1
       <term>krb_realm</term>
       <listitem>
        <para>
-        Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
-        to verify the authenticated user principal against.
+        Sets the realm to match user principal names against. If this parameter
+        is not set, the realm of the user will be ignored.
        </para>
       </listitem>
      </varlistentry>
@@ -953,7 +943,7 @@ omicron       bryanh            guest1
     <literal>pgusername@realm</>. By default, the realm of the client is
     not checked by <productname>PostgreSQL</>. If you have cross-realm
     authentication enabled and need to verify the realm, use the
-    <xref linkend="guc-krb-realm"> parameter.
+    krb_realm parameter in <filename>pg_hba.conf</>.
    </para>
 
    <para>
@@ -996,6 +986,55 @@ omicron       bryanh            guest1
     database access over the web, no extra passwords required.
    </para>
 
+   <para>
+    The following configuration options are supported for <productname>Kerberos</productname>:
+    <variablelist>
+     <varlistentry>
+      <term>map</term>
+      <listitem>
+       <para>
+        Allows for mapping between system and database usernames. See
+        <xref linkend="auth-username-maps"> for details.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry>
+      <term>include_realm</term>
+      <listitem>
+       <para>
+        Include the realm name from the authenticated user principal. This is useful
+        in combination with Username maps (See <xref linkend="auth-username-maps">
+        for details), especially with regular expressions, to map users from
+        multiple realms.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry>
+      <term>krb_realm</term>
+      <listitem>
+       <para>
+        Sets the realm to match user principal names against. If this parameter
+        is not set, the realm of the user will be ignored.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry>
+      <term>krb_server_hostname</term>
+      <listitem>
+       <para>
+        Sets the host name part of the service principal.
+        This, combined with <varname>krb_srvname</>, is used to generate
+        the complete service principal, that is
+        <varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
+        If not set, the default is the server host name.
+       </para>
+      </listitem>
+     </varlistentry>
+    </variablelist>
+   </para>
   </sect2>
 
   <sect2 id="auth-ident">
index 564e5c0236c854ca4cc323a8d74e7423304b81a6..0d8cf0a84cb52f707f6cb529e42ce8510c8fd4aa 100644 (file)
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.203 2009/01/07 22:40:48 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.204 2009/01/09 10:13:18 mha Exp $ -->
 
 <chapter Id="runtime-config">
   <title>Server Configuration</title>
@@ -612,22 +612,6 @@ SET ENABLE_SEQSCAN TO OFF;
       </listitem>
      </varlistentry>
 
-     <varlistentry id="guc-krb-realm" xreflabel="krb_realm">
-      <term><varname>krb_realm</varname> (<type>string</type>)</term>
-      <indexterm>
-       <primary><varname>krb_realm</> configuration parameter</primary>
-      </indexterm>
-      <listitem>
-       <para>
-        Sets the realm to match Kerberos, GSSAPI and SSPI user names against.
-        See <xref linkend="kerberos-auth">, <xref linkend="gssapi-auth"> or
-        <xref linkend="sspi-auth"> for details. This parameter can only be 
-        set in the <filename>postgresql.conf</> file or on the server 
-        command line.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
       <term><varname>krb_server_keyfile</varname> (<type>string</type>)</term>
       <indexterm>
@@ -657,24 +641,6 @@ SET ENABLE_SEQSCAN TO OFF;
       </listitem>
      </varlistentry>
 
-     <varlistentry id="guc-krb-server-hostname" xreflabel="krb_server_hostname">
-      <term><varname>krb_server_hostname</varname> (<type>string</type>)</term>
-      <indexterm>
-       <primary><varname>krb_server_hostname</> configuration parameter</primary>
-      </indexterm>
-      <listitem>
-       <para>
-        Sets the host name part of the service principal.
-        This, combined with <varname>krb_srvname</>, is used to generate
-        the complete service principal, that is
-        <varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
-        If not set, the default is the server host name.  See <xref linkend="kerberos-auth">
-        for details. This parameter can only be set in the <filename>postgresql.conf</>
-        file or on the server command line.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
       <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
       <indexterm>
index 4b5773ab88163474894e521797be0c097464d678..f0561a5b969a4d0d0c01d4ee3d480870de2a2133 100644 (file)
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *       $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.177 2009/01/07 13:09:21 mha Exp $
+ *       $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.178 2009/01/09 10:13:18 mha Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -129,8 +129,6 @@ static int  CheckCertAuth(Port *port);
 char      *pg_krb_server_keyfile;
 char      *pg_krb_srvnam;
 bool           pg_krb_caseins_users;
-char      *pg_krb_server_hostname = NULL;
-char      *pg_krb_realm = NULL;
 
 
 /*----------------------------------------------------------------
@@ -645,10 +643,7 @@ pg_krb5_init(Port *port)
         * If no hostname was specified, pg_krb_server_hostname is already NULL.
         * If it's set to blank, force it to NULL.
         */
-       if (port->hba->krb_server_hostname)
-               khostname = port->hba->krb_server_hostname;
-       else
-               khostname = pg_krb_server_hostname;
+       khostname = port->hba->krb_server_hostname;
        if (khostname && khostname[0] == '\0')
                khostname = NULL;
 
@@ -694,7 +689,6 @@ pg_krb5_recvauth(Port *port)
        krb5_ticket *ticket;
        char       *kusername;
        char       *cp;
-       char       *realmmatch;
 
        if (get_role_line(port->user_name) == NULL)
                return STATUS_ERROR;
@@ -740,11 +734,6 @@ pg_krb5_recvauth(Port *port)
                return STATUS_ERROR;
        }
 
-       if (port->hba->krb_realm)
-               realmmatch = port->hba->krb_realm;
-       else
-               realmmatch = pg_krb_realm;
-
        cp = strchr(kusername, '@');
        if (cp)
        {
@@ -757,19 +746,19 @@ pg_krb5_recvauth(Port *port)
                        *cp = '\0';
                cp++;
 
-               if (realmmatch != NULL && strlen(realmmatch))
+               if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
                {
                        /* Match realm against configured */
                        if (pg_krb_caseins_users)
-                               ret = pg_strcasecmp(realmmatch, cp);
+                               ret = pg_strcasecmp(port->hba->krb_realm, cp);
                        else
-                               ret = strcmp(realmmatch, cp);
+                               ret = strcmp(port->hba->krb_realm, cp);
 
                        if (ret)
                        {
                                elog(DEBUG2,
                                         "krb5 realm (%s) and configured realm (%s) don't match",
-                                        cp, realmmatch);
+                                        cp, port->hba->krb_realm);
 
                                krb5_free_ticket(pg_krb5_context, ticket);
                                krb5_auth_con_free(pg_krb5_context, auth_context);
@@ -777,7 +766,7 @@ pg_krb5_recvauth(Port *port)
                        }
                }
        }
-       else if (realmmatch && strlen(realmmatch))
+       else if (port->hba->krb_realm&& strlen(port->hba->krb_realm))
        {
                elog(DEBUG2,
                         "krb5 did not return realm but realm matching was requested");
@@ -874,7 +863,6 @@ pg_GSS_recvauth(Port *port)
        int                     ret;
        StringInfoData buf;
        gss_buffer_desc gbuf;
-       char       *realmmatch;
 
        /*
         * GSS auth is not supported for protocol versions before 3, because it
@@ -1034,11 +1022,6 @@ pg_GSS_recvauth(Port *port)
                                         gettext_noop("retrieving GSS user name failed"),
                                         maj_stat, min_stat);
 
-       if (port->hba->krb_realm)
-               realmmatch = port->hba->krb_realm;
-       else
-               realmmatch = pg_krb_realm;
-
        /*
         * Split the username at the realm separator
         */
@@ -1055,28 +1038,28 @@ pg_GSS_recvauth(Port *port)
                        *cp = '\0';
                cp++;
 
-               if (realmmatch != NULL && strlen(realmmatch))
+               if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
                {
                        /*
                         * Match the realm part of the name first
                         */
                        if (pg_krb_caseins_users)
-                               ret = pg_strcasecmp(realmmatch, cp);
+                               ret = pg_strcasecmp(port->hba->krb_realm, cp);
                        else
-                               ret = strcmp(realmmatch, cp);
+                               ret = strcmp(port->hba->krb_realm, cp);
 
                        if (ret)
                        {
                                /* GSS realm does not match */
                                elog(DEBUG2,
                                   "GSSAPI realm (%s) and configured realm (%s) don't match",
-                                        cp, realmmatch);
+                                        cp, port->hba->krb_realm);
                                gss_release_buffer(&lmin_s, &gbuf);
                                return STATUS_ERROR;
                        }
                }
        }
-       else if (realmmatch && strlen(realmmatch))
+       else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
        {
                elog(DEBUG2,
                         "GSSAPI did not return realm but realm matching was requested");
@@ -1140,7 +1123,6 @@ pg_SSPI_recvauth(Port *port)
        SID_NAME_USE accountnameuse;
        HMODULE         secur32;
        QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
-       char       *realmmatch;
 
        /*
         * SSPI auth is not supported for protocol versions before 3, because it
@@ -1353,18 +1335,13 @@ pg_SSPI_recvauth(Port *port)
         * Compare realm/domain if requested. In SSPI, always compare case
         * insensitive.
         */
-       if (port->hba->krb_realm)
-               realmmatch = port->hba->krb_realm;
-       else
-               realmmatch = pg_krb_realm;
-
-       if (realmmatch && strlen(realmmatch))
+       if (port->hba->krb_realm && strlen(port->hba->krb_realm))
        {
-               if (pg_strcasecmp(realmmatch, domainname))
+               if (pg_strcasecmp(port->hba->krb_realm, domainname))
                {
                        elog(DEBUG2,
                                 "SSPI domain (%s) and configured domain (%s) don't match",
-                                domainname, realmmatch);
+                                domainname, port->hba->krb_realm);
 
                        return STATUS_ERROR;
                }
index 22cfbff610507d3527958f46320b67051d50957c..8d927ae138778bf2a4f6b78cbdb8da2e910bd0fb 100644 (file)
@@ -10,7 +10,7 @@
  * Written by Peter Eisentraut <peter_e@gmx.net>.
  *
  * IDENTIFICATION
- *       $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.491 2009/01/07 22:40:49 tgl Exp $
+ *       $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.492 2009/01/09 10:13:18 mha Exp $
  *
  *--------------------------------------------------------------------
  */
@@ -2130,16 +2130,6 @@ static struct config_string ConfigureNamesString[] =
                "$libdir", NULL, NULL
        },
 
-       {
-               {"krb_realm", PGC_SIGHUP, CONN_AUTH_SECURITY,
-                       gettext_noop("Sets realm to match Kerberos and GSSAPI users against."),
-                       NULL,
-                       GUC_SUPERUSER_ONLY
-               },
-               &pg_krb_realm,
-               NULL, NULL, NULL
-       },
-
        {
                {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY,
                        gettext_noop("Sets the location of the Kerberos server key file."),
@@ -2159,15 +2149,6 @@ static struct config_string ConfigureNamesString[] =
                PG_KRB_SRVNAM, NULL, NULL
        },
 
-       {
-               {"krb_server_hostname", PGC_SIGHUP, CONN_AUTH_SECURITY,
-                       gettext_noop("Sets the hostname of the Kerberos server."),
-                       NULL
-               },
-               &pg_krb_server_hostname,
-               NULL, NULL, NULL
-       },
-
        {
                {"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
                        gettext_noop("Sets the Bonjour broadcast service name."),
index d53861511aea366f3dad3c217e11feb22f26e772..ffa5055b76889b56bcdfd09a81f1fc29ee8af975 100644 (file)
 # Kerberos and GSSAPI
 #krb_server_keyfile = ''
 #krb_srvname = 'postgres'              # (Kerberos only)
-#krb_server_hostname = ''              # empty string matches any keytab entry
-                                       # (Kerberos only)
 #krb_caseins_users = off
-#krb_realm = ''
 
 # - TCP Keepalives -
 # see "man 7 tcp" for details