[Ovirt-devel] PostgreSQL supports GSSAPI auth..

Perry N. Myers pmyers at redhat.com
Tue Aug 5 17:22:53 UTC 2008

Daniel P. Berrange wrote:
> I notice that the WUI appliance creates a random password for the postgresql
> server in its setup.
> PostgreSQL has long had Kerberos support authenticating users against their
> kerberos password, instead of tracking it in the PG user database, but more
> compelling is that it also recently gained GSSAPI support for single-signon
> If your PG client (ie oVirt WUI/taskomatic) has a client principle, then
> it can login to PG without needing a password. ALl that is needed is to
> create a PG user with matching username to your client principle username
> http://developer.postgresql.org/pgdocs/postgres/auth-methods.html#GSSAPI-AUTH
> http://developer.postgresql.org/pgdocs/postgres/auth-methods.html#KERBEROS-AUTH
> oVirt of course already has a client principle since it uses that to talk
> to libvirt, so it strikes me that it ought to be possible to just use that
> for PG too, and do away with generating a random password for PG

Didn't know that...  We do use a service principal on the ovirt server to 
talk between the various local services (taskomatic, host browser, etc). 
I see no reason that we couldn't extend this to postgresql.

Someone want to work on that and submit a patch?  :)


More information about the ovirt-devel mailing list