Обсуждение: question about SSIS

Поиск
Список
Период
Сортировка

question about SSIS

От
Konstantin Izmailov
Дата:
I've asked a few people at pgcon2009 about the issue of connecting users differently: some in SSIS mode, some - with password. This is still an issue: if server is configured for SSIS, there is no way to connect with password. It appears that the solution of the issue is to introduce connection string parameter, e.g. "integrated_security=ssis", so client has control on how to login to server. Any thoughts?

Re: question about SSIS

От
Tom Lane
Дата:
Konstantin Izmailov <kizmailov@gmail.com> writes:
> I've asked a few people at pgcon2009 about the issue of connecting users
> differently: some in SSIS mode, some - with password. This is still an
> issue: if server is configured for SSIS, there is no way to connect with
> password.

Huh?  The server decides which auth method to use, not the client.

            regards, tom lane

Re: question about SSIS

От
Magnus Hagander
Дата:
Tom Lane wrote:
> Konstantin Izmailov <kizmailov@gmail.com> writes:
>> I've asked a few people at pgcon2009 about the issue of connecting users
>> differently: some in SSIS mode, some - with password. This is still an
>> issue: if server is configured for SSIS, there is no way to connect with
>> password.
>
> Huh?  The server decides which auth method to use, not the client.

I think this is exactly what Konstantin is complaining about.

In his scenario, different clients connecting from the same subnet (so
they can't use different pg_hba lines) need to use different
authentication methods. (IIRC, this is an environment coming from
Microsoft SQL Server which does support this)

I think what he's asking for is the ability for a line in the server to
allow multiple authentication methods, and then for the client to be
able to specify which one of these it uses.

Konstantin, can you confirm that this was your scenario? You explained
it to me last night, but that was several beers into the evening...

//Magnus

Re: question about SSIS

От
Tom Lane
Дата:
Magnus Hagander <magnus@hagander.net> writes:
> In his scenario, different clients connecting from the same subnet (so
> they can't use different pg_hba lines) need to use different
> authentication methods. (IIRC, this is an environment coming from
> Microsoft SQL Server which does support this)

Perhaps he could use the user name or database name to distinguish
them in pg_hba.conf?

> I think what he's asking for is the ability for a line in the server to
> allow multiple authentication methods, and then for the client to be
> able to specify which one of these it uses.

There's no way we could implement that without a protocol change,
and it doesn't seem worth it to me.  The idea that the client gets
to choose seems like a bad idea from a security standpoint anyhow...

            regards, tom lane

Re: question about SSIS

От
"Joshua D. Drake"
Дата:
On Fri, 2009-05-22 at 15:24 -0400, Tom Lane wrote:
> > I think what he's asking for is the ability for a line in the server to
> > allow multiple authentication methods, and then for the client to be
> > able to specify which one of these it uses.
>
> There's no way we could implement that without a protocol change,
> and it doesn't seem worth it to me.  The idea that the client gets
> to choose seems like a bad idea from a security standpoint anyhow...

Wouldn't this be solved just by having fall through authentication?

Sincerely,

Joshua D. Drake
--
PostgreSQL - XMPP: jdrake@jabber.postgresql.org
   Consulting, Development, Support, Training
   503-667-4564 - http://www.commandprompt.com/
   The PostgreSQL Company, serving since 1997

Re: question about SSIS

От
Konstantin Izmailov
Дата:
Yes, it is correct. Issue appers not significant at first glance.
However, if you take into account users who are trying to migrate
their apps from MSSQL or Oracle and not willing to rewrite their apps
(relying on the OLEDB driver), you discover that it is not that small
issue. The driver just cannot provide required modes due to DB
limitation.

On May 22, 2009, at 3:18 PM, Magnus Hagander <magnus@hagander.net>
wrote:

> Tom Lane wrote:
>> Konstantin Izmailov <kizmailov@gmail.com> writes:
>>> I've asked a few people at pgcon2009 about the issue of connecting
>>> users
>>> differently: some in SSIS mode, some - with password. This is
>>> still an
>>> issue: if server is configured for SSIS, there is no way to
>>> connect with
>>> password.
>>
>> Huh?  The server decides which auth method to use, not the client.
>
> I think this is exactly what Konstantin is complaining about.
>
> In his scenario, different clients connecting from the same subnet (so
> they can't use different pg_hba lines) need to use different
> authentication methods. (IIRC, this is an environment coming from
> Microsoft SQL Server which does support this)
>
> I think what he's asking for is the ability for a line in the server
> to
> allow multiple authentication methods, and then for the client to be
> able to specify which one of these it uses.
>
> Konstantin, can you confirm that this was your scenario? You explained
> it to me last night, but that was several beers into the evening...
>
> //Magnus
>
>

Re: question about SSIS

От
Tom Lane
Дата:
"Joshua D. Drake" <jd@commandprompt.com> writes:
> On Fri, 2009-05-22 at 15:24 -0400, Tom Lane wrote:
>> There's no way we could implement that without a protocol change,
>> and it doesn't seem worth it to me.  The idea that the client gets
>> to choose seems like a bad idea from a security standpoint anyhow...

> Wouldn't this be solved just by having fall through authentication?

It's still a protocol change --- right now, clients have no reason
to expect that failing on the first auth challenge will lead to
another challenge of a different type, or indeed lead to anything
at all except disconnection.  I think libpq, for example, just drops
the connection on its own authority if asked for a password it can't
provide.

            regards, tom lane