Re: [PATCH v20] GSSAPI encryption support

Stephen Frost <sfrost@snowman.net>

From: Stephen Frost <sfrost@snowman.net>
To: Michael Paquier <michael@paquier.xyz>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Magnus Hagander <magnus@hagander.net>, Joe Conway <mail@joeconway.com>, Alvaro Herrera <alvherre@2ndquadrant.com>, David Steele <david@pgmasters.net>, Nico Williams <nico@cryptonector.com>, Robbie Harwood <rharwood@redhat.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2019-04-20T01:25:14Z
Lists: pgsql-hackers
Greetings,

* Michael Paquier (michael@paquier.xyz) wrote:
> On Mon, Apr 15, 2019 at 08:24:52AM -0400, Stephen Frost wrote:
> > The tests are really fast enough with one KDC that I don't think it
> > makes sense to have two independent tests.
> 
> Perhaps you should add a comment about the need of unicity at the top
> of 001_auth.pl with a short description of the test?

I added some comments there that I think explain why it makes sense to
have just one test file there.

> > Please find attached a patch which updates the protocol.sgml docs that
> > Michael mentioned before, and merges the tests into one test file (while
> > adding in some additional tests to make sure that the server also agrees
> > with what our expectations are, using the pg_stat_gssapi view).
> 
> Thanks for addressing all that feedback.  Parallel runs look more
> stable on my side.  At least it seems that I can re-enable it safely.

Great, glad to hear it.

> > I'll push this soon unless there are concerns.  If you get a chance to
> > test the patch out, that would be great.  It's working happily for me
> > locally.
> 
> +    calling gss_init_sec_context() in a loop and sending the result to the
> Some markups should be added here for all function names.  Not all the
> clients use C either, so you may want to say "or equivalent"?

I added the markups for function names along with a sentence fragment
saying that the functions referenced are the C GSSAPI bindings, and that
equivilants can be used.

> +test_access($node, 'test1', 'SELECT gss_authenticated AND encrypted
> from pg_stat_gssapi where pid = pg_backend_pid();', 0, '', 'succeeds
> with mapping with default gssencmode and host hba');
> +test_access($node, "test1", 'SELECT gss_authenticated AND encrypted
> from pg_stat_gssapi where pid = pg_backend_pid();', 0,
> "gssencmode=prefer", "succeeds with GSS-encrypted access preferred
> with host hba");
> +test_access($node, "test1", 'SELECT gss_authenticated AND encrypted
> from pg_stat_gssapi where pid = pg_backend_pid();', 0,
> "gssencmode=require", "succeeds with GSS-encrypted access required
> with host hba");
> If you could rework a bit the indentation of the new code added in
> kerberos/t/001_auth.pl that would be nice.  I am afraid that the
> current format makes debugging harder than necessary.

I ran perltidy on it, sorry, should have done that before.

> +$node->append_conf('pg_hba.conf',
> +   qq{hostgssenc all all $hostaddr/32 gss map=mymap});
> +$node->restart;
> A reload should be enough but not race-condition free, which is why a
> set of restarts is done in this test right?  (I have noticed that it
> is done this way since the beginning.)

Right, we want this to be a restart as Peter mentions downthread.

I've now pushed these changes and will mark the open item as addressed.

Thanks!

Stephen

Commits

  1. GSSAPI encryption support

  2. Fix typo