[Ovirt-devel] PostgreSQL supports GSSAPI auth..
Perry N. Myers
pmyers at redhat.com
Tue Aug 5 17:22:53 UTC 2008
Daniel P. Berrange wrote:
> I notice that the WUI appliance creates a random password for the postgresql
> server in its setup.
>
> PostgreSQL has long had Kerberos support authenticating users against their
> kerberos password, instead of tracking it in the PG user database, but more
> compelling is that it also recently gained GSSAPI support for single-signon
>
> If your PG client (ie oVirt WUI/taskomatic) has a client principle, then
> it can login to PG without needing a password. ALl that is needed is to
> create a PG user with matching username to your client principle username
>
> http://developer.postgresql.org/pgdocs/postgres/auth-methods.html#GSSAPI-AUTH
> http://developer.postgresql.org/pgdocs/postgres/auth-methods.html#KERBEROS-AUTH
>
> oVirt of course already has a client principle since it uses that to talk
> to libvirt, so it strikes me that it ought to be possible to just use that
> for PG too, and do away with generating a random password for PG
Didn't know that... We do use a service principal on the ovirt server to
talk between the various local services (taskomatic, host browser, etc).
I see no reason that we couldn't extend this to postgresql.
Someone want to work on that and submit a patch? :)
Perry
More information about the ovirt-devel
mailing list