Postgresql 中文操作指南

21.6. GSSAPI Authentication #

GSSAPI 是行业标准协议，用于在 RFC 2743中定义的安全身份验证。PostgreSQL 支持 GSSAPI 进行身份验证、通信加密或两者兼备。GSSAPI 为支持它的系统提供自动身份验证（单点登录）。身份验证本身是安全的。如果使用 GSSAPI 加密或 SSL 加密，则沿数据库连接发送的数据将被加密；否则，不会加密。

GSSAPI is an industry-standard protocol for secure authentication defined in RFC 2743. PostgreSQL supports GSSAPI for authentication, communications encryption, or both. GSSAPI provides automatic authentication (single sign-on) for systems that support it. The authentication itself is secure. If GSSAPI encryption or SSL encryption is used, the data sent along the database connection will be encrypted; otherwise, it will not.

当构建 PostgreSQL 时，必须启用 GSSAPI 支持；有关详细信息，请参阅 Chapter 17。

GSSAPI support has to be enabled when PostgreSQL is built; see Chapter 17 for more information.

当 GSSAPI 使用 Kerberos 时，它使用 servicename/hostname@realm 格式的标准服务主体（认证身份）名。特定安装使用的主体名不会以任何方式在 PostgreSQL 服务器中编码；相反，它在服务器读取以确定其自身身份的 keytab 文件中指定。如果在密钥表文件中列出了多个主体，服务器将接受其中任何一个。服务器的领域名称是服务器可访问的 Kerberos 配置文件中指定的首选领域。

When GSSAPI uses Kerberos, it uses a standard service principal (authentication identity) name in the format servicename_/hostname@realm. The principal name used by a particular installation is not encoded in the PostgreSQL server in any way; rather it is specified in the _keytab file that the server reads to determine its identity. If multiple principals are listed in the keytab file, the server will accept any one of them. The server’s realm name is the preferred realm specified in the Kerberos configuration file(s) accessible to the server.

连接时，客户端必须知道要连接到的服务器的主体名称。主体名称的_servicename_部分通常为_postgres_，但可以通过 libpq 的 krbsrvname连接参数选择另一个值。_hostname_部分是 libpq 要求连接到的完全限定的主机名。区域名称是从客户端可访问的 Kerberos 配置文件中指定的首选区域。

When connecting, the client must know the principal name of the server it intends to connect to. The servicename part of the principal is ordinarily postgres, but another value can be selected via libpq’s krbsrvname connection parameter. The hostname part is the fully qualified host name that libpq is told to connect to. The realm name is the preferred realm specified in the Kerberos configuration file(s) accessible to the client.

客户端还将拥有一个自己的 ID 的主体名称（且它必须拥有此主体的有效票证）。若要将 GSSAPI 用于身份验证，此客户端主体必须与 PostgreSQL 数据库用户名相关联。pg_ident.conf 配置文件可用于将主体映射到用户名；例如，可以将 pgusername@realm 映射到 pgusername。或者，可以在 PostgreSQL 中将完整 username@realm 主体用作角色名称，而无需任何映射。

The client will also have a principal name for its own identity (and it must have a valid ticket for this principal). To use GSSAPI for authentication, the client principal must be associated with a PostgreSQL database user name. The pg_ident.conf configuration file can be used to map principals to user names; for example, pgusername@realm could be mapped to just pgusername. Alternatively, you can use the full username@realm principal as the role name in PostgreSQL without any mapping.

PostgreSQL 还支持通过仅从主体中删除领域来将客户端主体映射到用户名。此方法受支持，出于向后兼容性考虑，但强烈不建议使用，因为这样无法区分具有相同用户名但来自不同领域的不同的用户。若要启用此功能，请将 include_realm 设置为 0。对于简单的单一领域安装，这与设置 krb_realm 参数（该参数检查主体领域是否与 krb_realm 参数中的内容完全匹配）结合使用仍然是安全的；但这与在 pg_ident.conf 中指定明确映射相比，是一种功能较弱的方法。

PostgreSQL also supports mapping client principals to user names by just stripping the realm from the principal. This method is supported for backwards compatibility and is strongly discouraged as it is then impossible to distinguish different users with the same user name but coming from different realms. To enable this, set include_realm to 0. For simple single-realm installations, doing that combined with setting the krb_realm parameter (which checks that the principal’s realm matches exactly what is in the krb_realm parameter) is still secure; but this is a less capable approach compared to specifying an explicit mapping in pg_ident.conf.

服务器密钥表文件的位置由 krb_server_keyfile配置参数指定。出于安全原因，建议仅为 PostgreSQL 服务器使用单独的密钥表，而不是允许服务器读取系统密钥表文件。确保 PostgreSQL 服务器帐户可读（最好只能读，不能写）服务器密钥表文件。（另请参阅 Section 19.1）。

The location of the server’s keytab file is specified by the krb_server_keyfile configuration parameter. For security reasons, it is recommended to use a separate keytab just for the PostgreSQL server rather than allowing the server to read the system keytab file. Make sure that your server keytab file is readable (and preferably only readable, not writable) by the PostgreSQL server account. (See also Section 19.1.)

密钥表文件使用 Kerberos 软件生成；请参阅 Kerberos 文档以了解详细信息。以下示例演示如何使用 MIT Kerberos 的 kadmin 工具执行此操作：

The keytab file is generated using the Kerberos software; see the Kerberos documentation for details. The following example shows doing this using the kadmin tool of MIT Kerberos:

kadmin% addprinc -randkey postgres/server.my.domain.org
kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org

GSSAPI 身份验证方法支持以下身份验证选项：

The following authentication options are supported for the GSSAPI authentication method:

include_realm
- If set to 0, the realm name from the authenticated user principal is stripped off before being passed through the user name mapping (Section 21.2). This is discouraged and is primarily available for backwards compatibility, as it is not secure in multi-realm environments unless krb_realm is also used. It is recommended to leave include_realm set to the default (1) and to provide an explicit mapping in pg_ident.conf to convert principal names to PostgreSQL user names.
map
- Allows mapping from client principals to database user names. See Section 21.2 for details. For a GSSAPI/Kerberos principal, such as username@EXAMPLE.COM (or, less commonly, username/hostbased@EXAMPLE.COM), the user name used for mapping is username@EXAMPLE.COM (or username/hostbased@EXAMPLE.COM, respectively), unless include_realm has been set to 0, in which case username (or username/hostbased) is what is seen as the system user name when mapping.
krb_realm
- Sets the realm to match user principal names against. If this parameter is set, only users of that realm will be accepted. If it is not set, users of any realm can connect, subject to whatever user name mapping is done.

除了这些设置外（对于不同的_pg_hba.conf_条目可能不同），还有服务器范围的 krb_caseins_users配置参数。如果将其设置为 true，则客户端主体与用户名映射条目将区分大小写匹配。如果设置了_krb_realm_，则也会区分大小写匹配。

In addition to these settings, which can be different for different pg_hba.conf entries, there is the server-wide krb_caseins_users configuration parameter. If that is set to true, client principals are matched to user map entries case-insensitively. krb_realm, if set, is also matched case-insensitively.