A custom authentication proxy for AWS Redshift. Radshift accepts Postgres connections, authenticates users using LinOTP, then proxies through to Redshift. Appropriate Redshift database users are created/updated automatically on-demand.
It uses femebe to do the heavy lifting of the Postgres protocol.
At the time we developed Radshift, AWS Redshift only supported username/password authentication (no certificate or LDAP-based authentication). We wanted to hook into other internal auth systems, so Radshift was born as a temporary solution. There is nothing Redshift-specific about the project except our initial use case.
This code should not be considered production-ready, but may be useful as an example for how to implement similar forms of Postgres proxy functionality. It is meant primarily for human users and has some race conditions if a single user creates multiple concurrent connections in quick succession.
You may want to look at PgBouncer for a more production-ready proxy.
Building from source requires a working Go environment, but no other special tricks. Vendored dependencies are managed with dep.
go get -u github.com/SimpleFinance/radshift/...
usage: radshift --ssl-cert=<path/to/ssl.crt> --ssl-key=<path/to/ssl.key> --redshift=<[...].redshift.amazonaws.com:5439> --redshift-ca-bundle=<path/to/redshift-ssl-ca-cert.pem> --redshift-user=<user> --redshift-password=<password> --linotp=<https://linotp/auth> --linotp-ca-bundle=<path/to/ca_bundle.pem> [<flags>]
An authenticating proxy for Redshift.
--help Show context-sensitive help (also try
--help-long and --help-man).
-v, --verbose enable verbose output.
--insecure Disable authentication and weaken/disable SSL
--listen= Interface/port on which to listen.
Path to SSL certificate in PEM format (default:
Path to SSL private key in PEM format (default:
Hostname/IP and port of backend Redshift
Path to Redshift Certificate Authority bundle
in PEM format (see
--redshift-user=<user> Username for the radshift superuser on the
backend Redshift cluster (default
Password for the radshift superuser on the
backend Redshift cluster (default:
--user=<username> ... Allow <username> to connect (after
authenticating to LinOTP).
--superuser=<username> ...
Treat <username> as a superuser on the backend.
URL of LinOTP endpoint for verifying user OTPs
--linotp-realm="radshift" LinOTP realm for verifying user OTPs
Path to CA bundle for LinOTP in PEM format
(default: $SSL_CA_BUNDLE_PATH).
--version Show application version.