Re: Proposal: Save user's original authenticated identity for logging
Jacob Champion <pchampion@vmware.com>
From: Jacob Champion <pchampion@vmware.com>
To: "magnus@hagander.net" <magnus@hagander.net>
Cc: "stark@mit.edu" <stark@mit.edu>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, "sfrost@snowman.net" <sfrost@snowman.net>, "tgl@sss.pgh.pa.us" <tgl@sss.pgh.pa.us>
Date: 2021-03-08T23:55:16Z
Lists: pgsql-hackers
On Mon, 2021-03-08 at 22:16 +0000, Jacob Champion wrote: > On Sat, 2021-03-06 at 18:33 +0100, Magnus Hagander wrote: > > With this we store the same value as the authn and as > > port->gss->princ, and AFAICT it's only used once. Seems we could just > > use the new field for the gssapi usage as well? Especially since that > > usage only seems to be there in order to do the gssapi specific > > logging of, well, the same thing. > > > > [...] > > Seems reasonable; I'll consolidate them. A slight hitch in the plan, for the GSS side... port->gss->princ is exposed by pg_stat_gssapi. I can switch this to use port->authn_id easily enough. But it seems like the existence of a user principal for the connection is independent of whether or not you're using that principal as your identity. For example, you might connect via a "hostgssenc ... trust" line in the HBA. (This would be analogous to presenting a user certificate over TLS but not using it to authenticate to the database.) I'd argue that the principal should be available through the stats view in this case as well, just like you can see a client DN in pg_stat_ssl even if you're using trust auth. The server doesn't currently support that -- gss->princ is only populated in the gss auth case, as far as I can tell -- but if I remove gss->princ entirely, then it'll be that much more work for someone who wants to expose that info later. I think it should remain independent. Thoughts? --Jacob
Commits
-
Add missing $Test::Builder::Level settings
- 73aa5e0cafd0 15.0 landed
- e536a2683439 14.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 landed
-
Fix some issues with SSL and Kerberos tests
- 5a71964a832f 14.0 landed
-
Refactor all TAP test suites doing connection checks
- c50624cdd248 14.0 landed