Add support for client certificate access

Bug #1969916 reported by Nick Moffitt
This bug affects 1 person
Affects Status Importance Assigned to Milestone
PostgreSQL Charm

Bug Description

PostgreSQL supports client certificates as an access control method, available in pg_auth as a `clientcert=1` option. This will refuse connections that do not present a client certificate signed by a recognised CA, which is configured via a CA cert file pointed to in the `ssl_ca_file` option.

There are three use cases:

1. The user has an existing CA which they use to sign client certs, and need to upload the cert file to a location that will be automatically configured in postgres.conf.
2. The user wants the charm to generate its own CA internally, and sign/revoke client certs via juju actions.
3. The user wants the charm to generate its own CA internally, and generate signed client carts retrievable with their keys via juju actions, as well as revoking said certs via a juju action.

For most installations, it will make sense for there to be a CA specific to the postgres application. Since postgres trusts any cert signed by that CA, it is likely to be common for this set of certs to be contained by the administrators of the model. That said, there are still use cases where an external group is in charge of access control to the service, and will need to be able to provide a specific CA cert to authenticate against.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.