Re: [PATCH v20] GSSAPI encryption support
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Stephen Frost <sfrost@snowman.net>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Magnus Hagander <magnus@hagander.net>, Joe Conway <mail@joeconway.com>, Alvaro Herrera <alvherre@2ndquadrant.com>, David Steele <david@pgmasters.net>, Nico Williams <nico@cryptonector.com>, Robbie Harwood <rharwood@redhat.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2019-04-16T04:36:41Z
Lists: pgsql-hackers
On Mon, Apr 15, 2019 at 08:24:52AM -0400, Stephen Frost wrote:
> The tests are really fast enough with one KDC that I don't think it
> makes sense to have two independent tests.
Perhaps you should add a comment about the need of unicity at the top
of 001_auth.pl with a short description of the test?
> Please find attached a patch which updates the protocol.sgml docs that
> Michael mentioned before, and merges the tests into one test file (while
> adding in some additional tests to make sure that the server also agrees
> with what our expectations are, using the pg_stat_gssapi view).
Thanks for addressing all that feedback. Parallel runs look more
stable on my side. At least it seems that I can re-enable it safely.
> I'll push this soon unless there are concerns. If you get a chance to
> test the patch out, that would be great. It's working happily for me
> locally.
+ calling gss_init_sec_context() in a loop and sending the result to the
Some markups should be added here for all function names. Not all the
clients use C either, so you may want to say "or equivalent"?
+test_access($node, 'test1', 'SELECT gss_authenticated AND encrypted
from pg_stat_gssapi where pid = pg_backend_pid();', 0, '', 'succeeds
with mapping with default gssencmode and host hba');
+test_access($node, "test1", 'SELECT gss_authenticated AND encrypted
from pg_stat_gssapi where pid = pg_backend_pid();', 0,
"gssencmode=prefer", "succeeds with GSS-encrypted access preferred
with host hba");
+test_access($node, "test1", 'SELECT gss_authenticated AND encrypted
from pg_stat_gssapi where pid = pg_backend_pid();', 0,
"gssencmode=require", "succeeds with GSS-encrypted access required
with host hba");
If you could rework a bit the indentation of the new code added in
kerberos/t/001_auth.pl that would be nice. I am afraid that the
current format makes debugging harder than necessary.
+$node->append_conf('pg_hba.conf',
+ qq{hostgssenc all all $hostaddr/32 gss map=mymap});
+$node->restart;
A reload should be enough but not race-condition free, which is why a
set of restarts is done in this test right? (I have noticed that it
is done this way since the beginning.)
--
Michael
Commits
-
GSSAPI encryption support
- b0b39f72b990 12.0 landed
-
Fix typo
- 57c932475504 9.6.0 cited