Documentation
¶
Index ¶
Constants ¶
const ( TOK_ID_KRB_AP_REQ = "0100" TOK_ID_KRB_AP_REP = "0200" TOK_ID_KRB_ERROR = "0300" )
GSSAPI KRB5 MechToken IDs.
Variables ¶
This section is empty.
Functions ¶
func AuthBackend ¶
func AuthBackend(shard conn.DBInstance, berule *config.BackendRule, msg pgproto3.BackendMessage) error
AuthBackend authenticates a user with the backend based on the provided message type.
Parameters: - shard (conn.DBInstance): The database instance to authenticate against. - berule (*config.BackendRule): The backend rule containing authentication rules. - msg (pgproto3.BackendMessage): The authentication message.
Returns: - error: An error if authentication fails or an unexpected message type is received.
- If the authentication method is `pgproto3.AuthenticationMD5Password`, the error message will be "auth rule not set for {shardName}-{berule.DB}-{berule.Usr}" if the rule is not found.
- If the authentication method is `pgproto3.AuthenticationCleartextPassword`, the error message will be "auth rule not set for {shardName}-{berule.DB}-{berule.Usr}" if the rule is not found.
- If the authentication method is `pgproto3.AuthenticationSASL`, the error message will depend on the specific error that occurs during the authentication process.
- For any other authentication method, the error message will be "authBackend type {type} not supported".
func AuthFrontend ¶
func AuthFrontend(cl client.Client, rule *config.FrontendRule) error
AuthFrontend handles authentication for the frontend based on the specified authentication method.
Parameters: - cl (client.Client): - the client interface. It should implement the `Usr`, `PasswordCT`, and `PasswordMD5` methods. - rule (*config.FrontendRule): - the frontend rule configuration. It should contain the `AuthRule` field, which in turn should contain the `Method` field.
Returns: - error: An error if authentication fails. The type of error returned depends on the authentication method used.
- If the authentication method is `config.AuthNotOK`, the error message will be "user {username} {database} blocked".
- If the authentication method is `config.AuthClearText`, the error message will be "user {username} {database} auth failed".
- If the authentication method is `config.AuthMD5`, the error message will be "[frontend_auth] route {username} {database}: md5 password mismatch".
- If the authentication method is `config.AuthSCRAM`, the error message will be "error: {error_message}".
Types ¶
type BaseAuthModule ¶
type BaseAuthModule struct {
// contains filtered or unexported fields
}
type ContextKey ¶
type ContextKey string
const CtxCredential ContextKey = "spqr/gokrb5/CtxCredential"
type KRB5Token ¶
type KRB5Token struct {
OID asn1.ObjectIdentifier
APReq messages.APReq
APRep messages.APRep
KRBError messages.KRBError
// contains filtered or unexported fields
}
KRB5Token context token implementation for GSSAPI.
func (*KRB5Token) Context ¶
Context returns the KRB5 token's context which will contain any verify user identity information.
func (*KRB5Token) IsKRBError ¶
IsKRBError tests if the MechToken contains an KRB_ERROR.
type Kerberos ¶
type Kerberos struct {
BaseAuthModule
// contains filtered or unexported fields
}
func NewKerberosModule ¶
func NewKerberosModule(base BaseAuthModule) *Kerberos
func (*Kerberos) Process ¶
func (k *Kerberos) Process(cl client.Client) (cred *credentials.Credentials, err error)
Source Files