feat: SASL (SCRAM-SHA-256) authentication

[rkrishn7]

This PR implements SCRAM-SHA-256 SASL mechanism for client <> proxy authentication

Notes for reviewer:

• I tried to keep the PR focused and not do too much refactoring. There's definitely opportunity to follow a similar pattern for MD5 authentication and consolidate some code from the scram module. However, it may be best to sequence it out into subsequent PRs for review purposes

Open Questions:

• The current config setup allows for individual pools to override the general auth config. I wasn't quite sure if this makes sense. Completely open to other ideas

Closes #624

[levkk]

Thank you for this. I'll review it asap.

[rkrishn7]

Hey @levkk! Just checking back in here. Do you have an idea of when you'll be able to get to this? Thanks!

[levkk]

Hi. Thank you for the PR. I haven't forgotten about it, I'll try to review it sometime this weekend or early next week. Please feel free to ping me again if I don't get back to you by then.

[ConstBur]

Hi @levkk and @rkrishn7, got any news for this one?

[Neustradamus]

@rkrishn7: Nice!

Any progress on this PR?

Linked to:

• State of Play scram-sasl/info#1

[adriangb]

Hi! This would be a really nice feature, ➕1 to get this in. Thank you to author and reviewers.

[mingjunyang]

Hi, All my PostgreSQL database baseline the scram-sha-256, this feature very useful.

[RiverPhillips]

This would be really helpful. Apologies for the ping @levkk but have you been able to review this yet?

[RiverPhillips]

I tried building this PR and testing it and ran into an error when actually using scram-sha-256 on this line here. I think it needs a little more work to get this working with the existing implementation in auth_passthrough.rs

[semoal]

Sorry for pinging, but this is the only feature missing for us to migrate our entire stack to pgcat instead of pgbouncer

[luss]

Is there a beta 2.0 possibly coming out soon?

…

On Sun, May 19, 2024 at 11:31 AM Sergio Moreno ***@***.***> wrote: Sorry for pinging, but this is the only feature missing for us to migrate our entire stack to pgcat instead of pgbouncer — Reply to this email directly, view it on GitHub <#631 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMWOHWCCONTS4QWHVZCQSTZDDAU7AVCNFSM6AAAAAA6VLJPOWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJZGI3TMNJQHA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[levkk]

Working on 2.0 as we speak. Will have some more news soon.

[AndrewJackson2020]

Sorry for pinging, but this is the only feature missing for us to migrate our entire stack to pgcat instead of pgbouncer

Same here with me. pgcat has some very useful features that are a huge advantage over pgbouncer but pgbouncer has a lot more options on the auth front. scram-sha-256 is a huge piece of that and would love to see it included in pcat. Has there been any progress on this PR?

[SoulKyu]

Any news on this MR ?

[kabir-bitstack]

@levkk Any news on this?

SASL is highly recommended.

Also, this would allow running pgcat with auth_query as a proxy.

[ramilmsh]

+1