From 3d4fa227bce4294ce1cc214b4a9d3b7caa3f0454 Mon Sep 17 00:00:00 2001
From: Stephen Frost
Date: Fri, 7 Apr 2023 21:58:04 -0400
Subject: Add support for Kerberos credential delegation
Support GSSAPI/Kerberos credentials being delegated to the server by a
client. With this, a user authenticating to PostgreSQL using Kerberos
(GSSAPI) credentials can choose to delegate their credentials to the
PostgreSQL server (which can choose to accept them, or not), allowing
the server to then use those delegated credentials to connect to
another service, such as with postgres_fdw or dblink or theoretically
any other service which is able to be authenticated using Kerberos.
Both postgres_fdw and dblink are changed to allow non-superuser
password-less connections but only when GSSAPI credentials have been
delegated to the server by the client and GSSAPI is used to
authenticate to the remote system.
Authors: Stephen Frost, Peifeng Qiu
Reviewed-By: David Christensen
Discussion: https://postgr.es/m/CO1PR05MB8023CC2CB575E0FAAD7DF4F8A8E29@CO1PR05MB8023.namprd05.prod.outlook.com
---
doc/src/sgml/postgres-fdw.sgml | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
(limited to 'doc/src/sgml/postgres-fdw.sgml')
diff --git a/doc/src/sgml/postgres-fdw.sgml b/doc/src/sgml/postgres-fdw.sgml
index 9e66987cf7f..281966f16ff 100644
--- a/doc/src/sgml/postgres-fdw.sgml
+++ b/doc/src/sgml/postgres-fdw.sgml
@@ -169,9 +169,10 @@
sslcert or sslkey settings.
- Only superusers may connect to foreign servers without password
- authentication, so always specify the password option
- for user mappings belonging to non-superusers.
+ Non-superusers may connect to foreign servers using password
+ authentication or with GSSAPI delegated credentials, so specify the
+ password option for user mappings belonging to
+ non-superusers where password authentication is required.
A superuser may override this check on a per-user-mapping basis by setting
--
cgit v1.2.3