[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Ovirt-devel] PostgreSQL supports GSSAPI auth..



Daniel P. Berrange wrote:
I notice that the WUI appliance creates a random password for the postgresql
server in its setup.

PostgreSQL has long had Kerberos support authenticating users against their
kerberos password, instead of tracking it in the PG user database, but more
compelling is that it also recently gained GSSAPI support for single-signon

If your PG client (ie oVirt WUI/taskomatic) has a client principle, then
it can login to PG without needing a password. ALl that is needed is to
create a PG user with matching username to your client principle username

http://developer.postgresql.org/pgdocs/postgres/auth-methods.html#GSSAPI-AUTH
http://developer.postgresql.org/pgdocs/postgres/auth-methods.html#KERBEROS-AUTH

oVirt of course already has a client principle since it uses that to talk
to libvirt, so it strikes me that it ought to be possible to just use that
for PG too, and do away with generating a random password for PG

Didn't know that... We do use a service principal on the ovirt server to talk between the various local services (taskomatic, host browser, etc). I see no reason that we couldn't extend this to postgresql.

Someone want to work on that and submit a patch?  :)

Perry


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]