On Tue, Sep 1, 2020 at 01:59:25PM +0900, Kyotaro Horiguchi wrote: > At Mon, 31 Aug 2020 11:34:29 -0400, Bruce Momjian <br...@momjian.us> wrote in > > On Mon, Aug 31, 2020 at 05:56:58PM +0900, Kyotaro Horiguchi wrote: > > > Ok, this is that. If we spcify clientcert=no-verify other than for > > > "cert" authentication, server complains as the following at startup. > > > > Why does clientcert=no-verify have any value, even for a > > cert-authentication line? > > > > > > LOG: no-verify or 0 is the default setting that is discouraged to use > > > > explicitly for clientcert option > > > > HINT: Consider removing the option instead. This option value is going > > > > to be deprecated in later version. > > > > CONTEXT: line 90 of configuration file > > > > "/home/horiguti/data/data_noverify/pg_hba.conf" > > > > I think it should just be removed in PG 14. This is a configuration > > setting, not an SQL-level item that needs a deprecation period. > > Ok, it is changed to just error out. I tempted to show a suggestion to > removing the option in that case like the following, but *didn't* in > this version of the patch.
OK, I have developed the attached patch based on yours. I reordered the tests, simplified the documentation, and removed the hint since they will already get a good error message, and we will document this change in the release notes. It is also good you removed the 0/1 values for this, since that was also confusing. We will put that removal in the release notes too. -- Bruce Momjian <br...@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml new file mode 100644 index 5cd88b4..a0d584f *** a/doc/src/sgml/client-auth.sgml --- b/doc/src/sgml/client-auth.sgml *************** host ... radius radiusservers="server1,s *** 2042,2054 **** </para> <para> ! In a <filename>pg_hba.conf</filename> record specifying certificate ! authentication, the authentication option <literal>clientcert</literal> is ! assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>, ! and it cannot be turned off since a client certificate is necessary for this ! method. What the <literal>cert</literal> method adds to the basic ! <literal>clientcert</literal> certificate validity test is a check that the ! <literal>cn</literal> attribute matches the database user name. </para> </sect1> --- 2042,2051 ---- </para> <para> ! It is redundant to use the <literal>clientcert</literal> option with ! <literal>cert</literal> authentication because <literal>cert</literal> ! authentication is effectively <literal>trust</literal> authentication ! with <literal>clientcert=verify-full</literal>. </para> </sect1> diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml new file mode 100644 index 6cda39f..322ac8e *** a/doc/src/sgml/runtime.sgml --- b/doc/src/sgml/runtime.sgml *************** pg_dumpall -p 5432 | psql -d postgres -p *** 2282,2290 **** The <literal>clientcert</literal> authentication option is available for all authentication methods, but only in <filename>pg_hba.conf</filename> lines specified as <literal>hostssl</literal>. When <literal>clientcert</literal> is ! not specified or is set to <literal>no-verify</literal>, the server will still ! verify any presented client certificates against its CA file, if one is ! configured — but it will not insist that a client certificate be presented. </para> <para> --- 2282,2289 ---- The <literal>clientcert</literal> authentication option is available for all authentication methods, but only in <filename>pg_hba.conf</filename> lines specified as <literal>hostssl</literal>. When <literal>clientcert</literal> is ! not specified, the server verifies the client certificate against its CA ! file only if a client certificate is presented and the CA is configured. </para> <para> diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c new file mode 100644 index 9d63830..3a87673 *** a/src/backend/libpq/hba.c --- b/src/backend/libpq/hba.c *************** parse_hba_auth_opt(char *name, char *val *** 1708,1736 **** *err_msg = "clientcert can only be configured for \"hostssl\" rows"; return false; } ! if (strcmp(val, "1") == 0 ! || strcmp(val, "verify-ca") == 0) ! { ! hbaline->clientcert = clientCertCA; ! } ! else if (strcmp(val, "verify-full") == 0) { hbaline->clientcert = clientCertFull; } ! else if (strcmp(val, "0") == 0 ! || strcmp(val, "no-verify") == 0) { if (hbaline->auth_method == uaCert) { ereport(elevel, (errcode(ERRCODE_CONFIG_FILE_ERROR), ! errmsg("clientcert can not be set to \"no-verify\" when using \"cert\" authentication"), errcontext("line %d of configuration file \"%s\"", line_num, HbaFileName))); ! *err_msg = "clientcert can not be set to \"no-verify\" when using \"cert\" authentication"; return false; } ! hbaline->clientcert = clientCertOff; } else { --- 1708,1732 ---- *err_msg = "clientcert can only be configured for \"hostssl\" rows"; return false; } ! ! if (strcmp(val, "verify-full") == 0) { hbaline->clientcert = clientCertFull; } ! else if (strcmp(val, "verify-ca") == 0) { if (hbaline->auth_method == uaCert) { ereport(elevel, (errcode(ERRCODE_CONFIG_FILE_ERROR), ! errmsg("clientcert only accepts \"verify-full\" when using \"cert\" authentication"), errcontext("line %d of configuration file \"%s\"", line_num, HbaFileName))); ! *err_msg = "clientcert can only be set to \"verify-full\" when using \"cert\" authentication"; return false; } ! ! hbaline->clientcert = clientCertCA; } else {