Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there any restriction on JS implementation? #243

Open
mxmauro opened this issue Nov 12, 2023 · 7 comments
Open

Is there any restriction on JS implementation? #243

mxmauro opened this issue Nov 12, 2023 · 7 comments
Labels
general General question or request for help

Comments

@mxmauro
Copy link

mxmauro commented Nov 12, 2023

For example, I would like to create a new authentication mechanism with a third-party provider and have to do HTTPS requests.

Does plv8 or rust implementation support it?
@mxmauro mxmauro added the general General question or request for help label Nov 12, 2023
@jim-mlodgenski
Copy link
Contributor

PostgreSQL's trusted languages can't make network calls so plv8 and trusted plrust can't be used to make the HTTPS requests. It you are running PostgreSQL where you have full superuser rights and can use an untrusted language, plpython could work.

@jkatz
Copy link
Contributor

jkatz commented Nov 12, 2023

+1 to what @jim-mlodgenski said. However, depending on your environment with a trusted language, you may be able to make a network call with alternative means. For example, you can invoke an AWS Lambda function from an Aurora/RDS function written in a trusted language, where the Lambda function makes the remote network call. It is an extra hop, but it does allow for making HTTPS requests.

@mxmauro
Copy link
Author

mxmauro commented Nov 12, 2023

Thanks @jim-mlodgenski and @jkatz for the feedback. I'll look for alternatives. Not sure if invoking a Lambda will fit because I should call it from the clientauth hook.

@jkatz
Copy link
Contributor

jkatz commented Nov 14, 2023

@mxmauro Keep in mind that the ClientAuthentication hook fires after PostgreSQL has authenticated against one of its existing methods (see: https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/libpq/auth.c#l232). You can't change the authentication status at that time. There have been proposals upstream to allow for more flexibility in defining how a client authenticates to PostgreSQL, but currently this is not supported.

@mxmauro
Copy link
Author

mxmauro commented Nov 14, 2023

I thought you can write an extension to define a new authentication method. I'll go backwards a few steps :) Thanks for the feedback.

@JohnHVancouver
Copy link
Contributor

I would like to create a new authentication mechanism with a third-party provider and have to do HTTPS

If I understand your ask correctly, this is supported by Postgres generally.
https://www.postgresql.org/docs/current/auth-pam.html

You would need to configure your own PAM auth module, but you can pass the username/password combination to your own custom module to do the authentication.

@mxmauro
Copy link
Author

mxmauro commented Nov 15, 2023

Yes but my original intention was to see how far AWS RDS for Postgresql can be extended. At it only supports a few extensions and, for auth, just regular user/pass, IAM roles or Kerberos through AD. Then I found pg_tle for "custom" stuff.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
general General question or request for help
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jkatz @jim-mlodgenski @mxmauro @JohnHVancouver