From 3d4fa227bce4294ce1cc214b4a9d3b7caa3f0454 Mon Sep 17 00:00:00 2001 From: Stephen Frost Date: Fri, 7 Apr 2023 21:58:04 -0400 Subject: Add support for Kerberos credential delegation Support GSSAPI/Kerberos credentials being delegated to the server by a client. With this, a user authenticating to PostgreSQL using Kerberos (GSSAPI) credentials can choose to delegate their credentials to the PostgreSQL server (which can choose to accept them, or not), allowing the server to then use those delegated credentials to connect to another service, such as with postgres_fdw or dblink or theoretically any other service which is able to be authenticated using Kerberos. Both postgres_fdw and dblink are changed to allow non-superuser password-less connections but only when GSSAPI credentials have been delegated to the server by the client and GSSAPI is used to authenticate to the remote system. Authors: Stephen Frost, Peifeng Qiu Reviewed-By: David Christensen Discussion: https://postgr.es/m/CO1PR05MB8023CC2CB575E0FAAD7DF4F8A8E29@CO1PR05MB8023.namprd05.prod.outlook.com --- doc/src/sgml/postgres-fdw.sgml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'doc/src/sgml/postgres-fdw.sgml') diff --git a/doc/src/sgml/postgres-fdw.sgml b/doc/src/sgml/postgres-fdw.sgml index 9e66987cf7f..281966f16ff 100644 --- a/doc/src/sgml/postgres-fdw.sgml +++ b/doc/src/sgml/postgres-fdw.sgml @@ -169,9 +169,10 @@ sslcert or sslkey settings. - Only superusers may connect to foreign servers without password - authentication, so always specify the password option - for user mappings belonging to non-superusers. + Non-superusers may connect to foreign servers using password + authentication or with GSSAPI delegated credentials, so specify the + password option for user mappings belonging to + non-superusers where password authentication is required. A superuser may override this check on a per-user-mapping basis by setting -- cgit v1.2.3