search

aws / pg_tle

Framework for building trusted language extensions for PostgreSQL
Apache License 2.0
337 stars 31 forks source link

Is there any restriction on JS implementation? #243

Open mxmauro opened 1 year ago

mxmauro commented 1 year ago

For example, I would like to create a new authentication mechanism with a third-party provider and have to do HTTPS requests.

Does plv8 or rust implementation support it?

jim-mlodgenski commented 1 year ago

PostgreSQL's trusted languages can't make network calls so plv8 and trusted plrust can't be used to make the HTTPS requests. It you are running PostgreSQL where you have full superuser rights and can use an untrusted language, plpython could work.

jkatz commented 1 year ago

+1 to what @jim-mlodgenski said. However, depending on your environment with a trusted language, you may be able to make a network call with alternative means. For example, you can invoke an AWS Lambda function from an Aurora/RDS function written in a trusted language, where the Lambda function makes the remote network call. It is an extra hop, but it does allow for making HTTPS requests.

mxmauro commented 1 year ago

Thanks @jim-mlodgenski and @jkatz for the feedback. I'll look for alternatives. Not sure if invoking a Lambda will fit because I should call it from the clientauth hook.

jkatz commented 1 year ago

@mxmauro Keep in mind that the ClientAuthentication hook fires after PostgreSQL has authenticated against one of its existing methods (see: https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/libpq/auth.c#l232). You can't change the authentication status at that time. There have been proposals upstream to allow for more flexibility in defining how a client authenticates to PostgreSQL, but currently this is not supported.

mxmauro commented 1 year ago

I thought you can write an extension to define a new authentication method. I'll go backwards a few steps :) Thanks for the feedback.

JohnHVancouver commented 1 year ago

I would like to create a new authentication mechanism with a third-party provider and have to do HTTPS

If I understand your ask correctly, this is supported by Postgres generally. https://www.postgresql.org/docs/current/auth-pam.html

You would need to configure your own PAM auth module, but you can pass the username/password combination to your own custom module to do the authentication.

mxmauro commented 1 year ago

Yes but my original intention was to see how far AWS RDS for Postgresql can be extended. At it only supports a few extensions and, for auth, just regular user/pass, IAM roles or Kerberos through AD. Then I found pg_tle for "custom" stuff.