Re: PG 14 release notes, first draft

On Tue, May 11, 2021 at 10:45:04PM -0400, Bruce Momjian wrote:
> On Tue, May 11, 2021 at 05:13:21PM -0500, Justin Pryzby wrote:
> > On Tue, May 11, 2021 at 10:35:23AM -0400, Bruce Momjian wrote:
> > > > | Allow more than the common name (CN) to be matched for client certificate authentication (Andrew Dunstan) 
> > > > Your description makes it sound like arbitrary attributes can be compared.  But
> > > > the option just allows comparing CN or DN.
> > > 
> > > OK, new text is:
> > > 
> > >     <para>
> > >     Allow the certificate's distinguished name (DN) to be matched for client
> > >     certificate authentication (Andrew Dunstan)
> > >     </para>
> > >     
> > >     <para>
> > >     The new pg_hba.conf keyword "clientname=DN" allows comparison with
> > >     non-CN certificate attributes and can be combined with ident maps.
> > >     </para>
> > >     </listitem>
> > 
> > I think this part is still misleading.  The option just allows DN/CN, so it's
> > strange to say "non-CN attributes".
> 
> OK, so this is where I am confused.  I searched for distinguished name
> (DN) and came up with DN being a concatentation of all the fields
> provided to the certificate signing request (CSR).  Is that right? 
> Wouldn't people test _parts_ of the DN, rather than all of it.

+Andrew

The full DN is probably not the postgres username, so the docs suggest that:
| This option is probably best used in conjunction with a username map.

You're right that clientname=DN allows testing *parts*, of the DN, but I don't
know if there's any reason to believe that's the typical use case.

The primary utility of clientname=DN seems to be that the CN alone is (or can
be) ambiguous - matching on the full DN is intended to resolve that.  I think
the release notes should focus on this.

Matching parts of the DN (other than the CN) seems like a 2ndary use.

Maybe a variation on your original words is better.
| Allow the distinguished name (DN) to be matched for client certificate authentication (Andrew Dunstan) 
| Previously, matching was done only the common name (DN).
| With a username map, the DN can be matched in full or in part.

> The test in the patch seems to do that:
> 
> +     "# MAPNAME       SYSTEM-USERNAME                           PG-USERNAME\n",
> +     "dn             \"CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG\"    ssltestuser\n",
> +     "dnre           \"/^.*OU=Testing,.*\$\"                    ssltestuser\n",
> +     "cn              ssltestuser-dn                            ssltestuser\n";
> 
> I think someone need to explain to me exactly what the DN is and how it
> is used.  Sorry.

-- 
Justin