diff options
| -rw-r--r-- | doc/src/sgml/config.sgml | 233 | ||||
| -rw-r--r-- | src/backend/utils/misc/guc.c | 38 | ||||
| -rw-r--r-- | src/backend/utils/misc/postgresql.conf.sample | 41 | ||||
| -rw-r--r-- | src/include/utils/guc_tables.h | 3 |
4 files changed, 165 insertions, 150 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 31eaacfc4fe..45b2af14eb9 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -924,8 +924,9 @@ include_dir 'conf.d' </variablelist> </sect2> - <sect2 id="runtime-config-connection-security"> - <title>Security and Authentication</title> + + <sect2 id="runtime-config-connection-authentication"> + <title>Authentication</title> <variablelist> <varlistentry id="guc-authentication-timeout" xreflabel="authentication_timeout"> @@ -950,6 +951,123 @@ include_dir 'conf.d' </listitem> </varlistentry> + <varlistentry id="guc-password-encryption" xreflabel="password_encryption"> + <term><varname>password_encryption</varname> (<type>enum</type>) + <indexterm> + <primary><varname>password_encryption</varname> configuration parameter</primary> + </indexterm> + </term> + <listitem> + <para> + When a password is specified in <xref linkend="sql-createrole"/> or + <xref linkend="sql-alterrole"/>, this parameter determines the algorithm + to use to encrypt the password. The default value is <literal>md5</literal>, + which stores the password as an MD5 hash (<literal>on</literal> is also + accepted, as alias for <literal>md5</literal>). Setting this parameter to + <literal>scram-sha-256</literal> will encrypt the password with SCRAM-SHA-256. + </para> + <para> + Note that older clients might lack support for the SCRAM authentication + mechanism, and hence not work with passwords encrypted with + SCRAM-SHA-256. See <xref linkend="auth-password"/> for more details. + </para> + </listitem> + </varlistentry> + + <varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile"> + <term><varname>krb_server_keyfile</varname> (<type>string</type>) + <indexterm> + <primary><varname>krb_server_keyfile</varname> configuration parameter</primary> + </indexterm> + </term> + <listitem> + <para> + Sets the location of the Kerberos server key file. See + <xref linkend="gssapi-auth"/> + for details. This parameter can only be set in the + <filename>postgresql.conf</filename> file or on the server command line. + </para> + </listitem> + </varlistentry> + + <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users"> + <term><varname>krb_caseins_users</varname> (<type>boolean</type>) + <indexterm> + <primary><varname>krb_caseins_users</varname> configuration parameter</primary> + </indexterm> + </term> + <listitem> + <para> + Sets whether GSSAPI user names should be treated + case-insensitively. + The default is <literal>off</literal> (case sensitive). This parameter can only be + set in the <filename>postgresql.conf</filename> file or on the server command line. + </para> + </listitem> + </varlistentry> + + <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace"> + <term><varname>db_user_namespace</varname> (<type>boolean</type>) + <indexterm> + <primary><varname>db_user_namespace</varname> configuration parameter</primary> + </indexterm> + </term> + <listitem> + <para> + This parameter enables per-database user names. It is off by default. + This parameter can only be set in the <filename>postgresql.conf</filename> + file or on the server command line. + </para> + + <para> + If this is on, you should create users as <replaceable>username@dbname</replaceable>. + When <replaceable>username</replaceable> is passed by a connecting client, + <literal>@</literal> and the database name are appended to the user + name and that database-specific user name is looked up by the + server. Note that when you create users with names containing + <literal>@</literal> within the SQL environment, you will need to + quote the user name. + </para> + + <para> + With this parameter enabled, you can still create ordinary global + users. Simply append <literal>@</literal> when specifying the user + name in the client, e.g. <literal>joe@</literal>. The <literal>@</literal> + will be stripped off before the user name is looked up by the + server. + </para> + + <para> + <varname>db_user_namespace</varname> causes the client's and + server's user name representation to differ. + Authentication checks are always done with the server's user name + so authentication methods must be configured for the + server's user name, not the client's. Because + <literal>md5</literal> uses the user name as salt on both the + client and server, <literal>md5</literal> cannot be used with + <varname>db_user_namespace</varname>. + </para> + + <note> + <para> + This feature is intended as a temporary measure until a + complete solution is found. At that time, this option will + be removed. + </para> + </note> + </listitem> + </varlistentry> + </variablelist> + </sect2> + + <sect2 id="runtime-config-connection-ssl"> + <title>SSL</title> + + <para> + See <xref linkend="ssl-tcp"/> for more information about setting up SSL. + </para> + + <variablelist> <varlistentry id="guc-ssl" xreflabel="ssl"> <term><varname>ssl</varname> (<type>boolean</type>) <indexterm> @@ -958,8 +1076,7 @@ include_dir 'conf.d' </term> <listitem> <para> - Enables <acronym>SSL</acronym> connections. Please read - <xref linkend="ssl-tcp"/> before using this. + Enables <acronym>SSL</acronym> connections. This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. The default is <literal>off</literal>. @@ -1172,29 +1289,6 @@ include_dir 'conf.d' </listitem> </varlistentry> - <varlistentry id="guc-password-encryption" xreflabel="password_encryption"> - <term><varname>password_encryption</varname> (<type>enum</type>) - <indexterm> - <primary><varname>password_encryption</varname> configuration parameter</primary> - </indexterm> - </term> - <listitem> - <para> - When a password is specified in <xref linkend="sql-createrole"/> or - <xref linkend="sql-alterrole"/>, this parameter determines the algorithm - to use to encrypt the password. The default value is <literal>md5</literal>, - which stores the password as an MD5 hash (<literal>on</literal> is also - accepted, as alias for <literal>md5</literal>). Setting this parameter to - <literal>scram-sha-256</literal> will encrypt the password with SCRAM-SHA-256. - </para> - <para> - Note that older clients might lack support for the SCRAM authentication - mechanism, and hence not work with passwords encrypted with - SCRAM-SHA-256. See <xref linkend="auth-password"/> for more details. - </para> - </listitem> - </varlistentry> - <varlistentry id="guc-ssl-dh-params-file" xreflabel="ssl_dh_params_file"> <term><varname>ssl_dh_params_file</varname> (<type>string</type>) <indexterm> @@ -1218,91 +1312,6 @@ include_dir 'conf.d' </para> </listitem> </varlistentry> - - <varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile"> - <term><varname>krb_server_keyfile</varname> (<type>string</type>) - <indexterm> - <primary><varname>krb_server_keyfile</varname> configuration parameter</primary> - </indexterm> - </term> - <listitem> - <para> - Sets the location of the Kerberos server key file. See - <xref linkend="gssapi-auth"/> - for details. This parameter can only be set in the - <filename>postgresql.conf</filename> file or on the server command line. - </para> - </listitem> - </varlistentry> - - <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users"> - <term><varname>krb_caseins_users</varname> (<type>boolean</type>) - <indexterm> - <primary><varname>krb_caseins_users</varname> configuration parameter</primary> - </indexterm> - </term> - <listitem> - <para> - Sets whether GSSAPI user names should be treated - case-insensitively. - The default is <literal>off</literal> (case sensitive). This parameter can only be - set in the <filename>postgresql.conf</filename> file or on the server command line. - </para> - </listitem> - </varlistentry> - - <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace"> - <term><varname>db_user_namespace</varname> (<type>boolean</type>) - <indexterm> - <primary><varname>db_user_namespace</varname> configuration parameter</primary> - </indexterm> - </term> - <listitem> - <para> - This parameter enables per-database user names. It is off by default. - This parameter can only be set in the <filename>postgresql.conf</filename> - file or on the server command line. - </para> - - <para> - If this is on, you should create users as <replaceable>username@dbname</replaceable>. - When <replaceable>username</replaceable> is passed by a connecting client, - <literal>@</literal> and the database name are appended to the user - name and that database-specific user name is looked up by the - server. Note that when you create users with names containing - <literal>@</literal> within the SQL environment, you will need to - quote the user name. - </para> - - <para> - With this parameter enabled, you can still create ordinary global - users. Simply append <literal>@</literal> when specifying the user - name in the client, e.g. <literal>joe@</literal>. The <literal>@</literal> - will be stripped off before the user name is looked up by the - server. - </para> - - <para> - <varname>db_user_namespace</varname> causes the client's and - server's user name representation to differ. - Authentication checks are always done with the server's user name - so authentication methods must be configured for the - server's user name, not the client's. Because - <literal>md5</literal> uses the user name as salt on both the - client and server, <literal>md5</literal> cannot be used with - <varname>db_user_namespace</varname>. - </para> - - <note> - <para> - This feature is intended as a temporary measure until a - complete solution is found. At that time, this option will - be removed. - </para> - </note> - </listitem> - </varlistentry> - </variablelist> </sect2> </sect1> diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index d03ba234b5d..5884fa905e9 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -573,8 +573,10 @@ const char *const config_group_names[] = gettext_noop("Connections and Authentication"), /* CONN_AUTH_SETTINGS */ gettext_noop("Connections and Authentication / Connection Settings"), - /* CONN_AUTH_SECURITY */ - gettext_noop("Connections and Authentication / Security and Authentication"), + /* CONN_AUTH_AUTH */ + gettext_noop("Connections and Authentication / Authentication"), + /* CONN_AUTH_SSL */ + gettext_noop("Connections and Authentication / SSL"), /* RESOURCES */ gettext_noop("Resource Usage"), /* RESOURCES_MEM */ @@ -978,7 +980,7 @@ static struct config_bool ConfigureNamesBool[] = NULL, NULL, NULL }, { - {"ssl", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Enables SSL connections."), NULL }, @@ -987,7 +989,7 @@ static struct config_bool ConfigureNamesBool[] = check_ssl, NULL, NULL }, { - {"ssl_prefer_server_ciphers", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_prefer_server_ciphers", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Give priority to server ciphersuite order."), NULL }, @@ -1378,7 +1380,7 @@ static struct config_bool ConfigureNamesBool[] = NULL, NULL, NULL }, { - {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH, gettext_noop("Enables per-database user names."), NULL }, @@ -1425,7 +1427,7 @@ static struct config_bool ConfigureNamesBool[] = check_transaction_deferrable, NULL, NULL }, { - {"row_security", PGC_USERSET, CONN_AUTH_SECURITY, + {"row_security", PGC_USERSET, CLIENT_CONN_STATEMENT, gettext_noop("Enable row security."), gettext_noop("When enabled, row security will be applied to all users.") }, @@ -1548,7 +1550,7 @@ static struct config_bool ConfigureNamesBool[] = }, { - {"krb_caseins_users", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"krb_caseins_users", PGC_SIGHUP, CONN_AUTH_AUTH, gettext_noop("Sets whether Kerberos and GSSAPI user names should be treated as case-insensitive."), NULL }, @@ -2247,7 +2249,7 @@ static struct config_int ConfigureNamesInt[] = }, { - {"authentication_timeout", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"authentication_timeout", PGC_SIGHUP, CONN_AUTH_AUTH, gettext_noop("Sets the maximum allowed time to complete client authentication."), NULL, GUC_UNIT_S @@ -2797,7 +2799,7 @@ static struct config_int ConfigureNamesInt[] = }, { - {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY, + {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SSL, gettext_noop("SSL renegotiation is no longer supported; this can only be 0."), NULL, GUC_NO_SHOW_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE, @@ -3170,7 +3172,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_AUTH, gettext_noop("Sets the location of the Kerberos server key file."), NULL, GUC_SUPERUSER_ONLY @@ -3530,7 +3532,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_cert_file", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_cert_file", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Location of the SSL server certificate file."), NULL }, @@ -3540,7 +3542,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_key_file", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_key_file", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Location of the SSL server private key file."), NULL }, @@ -3550,7 +3552,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_ca_file", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_ca_file", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Location of the SSL certificate authority file."), NULL }, @@ -3560,7 +3562,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_crl_file", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_crl_file", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Location of the SSL certificate revocation list file."), NULL }, @@ -3602,7 +3604,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Sets the list of allowed SSL ciphers."), NULL, GUC_SUPERUSER_ONLY @@ -3617,7 +3619,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Sets the curve to use for ECDH."), NULL, GUC_SUPERUSER_ONLY @@ -3632,7 +3634,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_dh_params_file", PGC_SIGHUP, CONN_AUTH_SECURITY, + {"ssl_dh_params_file", PGC_SIGHUP, CONN_AUTH_SSL, gettext_noop("Location of the SSL DH parameters file."), NULL, GUC_SUPERUSER_ONLY @@ -3932,7 +3934,7 @@ static struct config_enum ConfigureNamesEnum[] = }, { - {"password_encryption", PGC_USERSET, CONN_AUTH_SECURITY, + {"password_encryption", PGC_USERSET, CONN_AUTH_AUTH, gettext_noop("Encrypt passwords."), gettext_noop("When a password is specified in CREATE USER or " "ALTER USER without writing either ENCRYPTED or UNENCRYPTED, " diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 69f40f04b05..abffde6b2be 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -73,35 +73,37 @@ #bonjour_name = '' # defaults to the computer name # (change requires restart) -# - Security and Authentication - +# - TCP Keepalives - +# see "man 7 tcp" for details + +#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; + # 0 selects the system default +#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; + # 0 selects the system default +#tcp_keepalives_count = 0 # TCP_KEEPCNT; + # 0 selects the system default + +# - Authentication - #authentication_timeout = 1min # 1s-600s -#ssl = off -#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers -#ssl_prefer_server_ciphers = on -#ssl_ecdh_curve = 'prime256v1' -#ssl_dh_params_file = '' -#ssl_cert_file = 'server.crt' -#ssl_key_file = 'server.key' -#ssl_ca_file = '' -#ssl_crl_file = '' #password_encryption = md5 # md5 or scram-sha-256 #db_user_namespace = off -#row_security = on # GSSAPI using Kerberos #krb_server_keyfile = '' #krb_caseins_users = off -# - TCP Keepalives - -# see "man 7 tcp" for details +# - SSL - -#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; - # 0 selects the system default -#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; - # 0 selects the system default -#tcp_keepalives_count = 0 # TCP_KEEPCNT; - # 0 selects the system default +#ssl = off +#ssl_ca_file = '' +#ssl_cert_file = 'server.crt' +#ssl_crl_file = '' +#ssl_key_file = 'server.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_dh_params_file = '' #------------------------------------------------------------------------------ @@ -543,6 +545,7 @@ # - Statement Behavior - #search_path = '"$user", public' # schema names +#row_security = on #default_tablespace = '' # a tablespace name, '' uses the default #temp_tablespaces = '' # a list of tablespace names, '' uses # only default tablespace diff --git a/src/include/utils/guc_tables.h b/src/include/utils/guc_tables.h index 04de6a383ad..668d9efd357 100644 --- a/src/include/utils/guc_tables.h +++ b/src/include/utils/guc_tables.h @@ -56,7 +56,8 @@ enum config_group FILE_LOCATIONS, CONN_AUTH, CONN_AUTH_SETTINGS, - CONN_AUTH_SECURITY, + CONN_AUTH_AUTH, + CONN_AUTH_SSL, RESOURCES, RESOURCES_MEM, RESOURCES_DISK, |