I notice that the WUI appliance creates a random password for the postgresql server in its setup. PostgreSQL has long had Kerberos support authenticating users against their kerberos password, instead of tracking it in the PG user database, but more compelling is that it also recently gained GSSAPI support for single-signon If your PG client (ie oVirt WUI/taskomatic) has a client principle, then it can login to PG without needing a password. ALl that is needed is to create a PG user with matching username to your client principle username http://developer.postgresql.org/pgdocs/postgres/auth-methods.html#GSSAPI-AUTH http://developer.postgresql.org/pgdocs/postgres/auth-methods.html#KERBEROS-AUTH oVirt of course already has a client principle since it uses that to talk to libvirt, so it strikes me that it ought to be possible to just use that for PG too, and do away with generating a random password for PG Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
Daniel P. Berrange wrote:> I notice that the WUI appliance creates a random password for the postgresql > server in its setup. > > PostgreSQL has long had Kerberos support authenticating users against their > kerberos password, instead of tracking it in the PG user database, but more > compelling is that it also recently gained GSSAPI support for single-signon > > If your PG client (ie oVirt WUI/taskomatic) has a client principle, then > it can login to PG without needing a password. ALl that is needed is to > create a PG user with matching username to your client principle username > > http://developer.postgresql.org/pgdocs/postgres/auth-methods.html#GSSAPI-AUTH > http://developer.postgresql.org/pgdocs/postgres/auth-methods.html#KERBEROS-AUTH > > oVirt of course already has a client principle since it uses that to talk > to libvirt, so it strikes me that it ought to be possible to just use that > for PG too, and do away with generating a random password for PGDidn't know that... We do use a service principal on the ovirt server to talk between the various local services (taskomatic, host browser, etc). I see no reason that we couldn't extend this to postgresql. Someone want to work on that and submit a patch? :) Perry