Re: [PATCH v20] GSSAPI encryption support
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Robbie Harwood <rharwood@redhat.com>, pgsql-hackers@postgresql.org
Cc: Stephen Frost <sfrost@snowman.net>, Nico Williams
<nico@cryptonector.com>, Michael Paquier <michael@paquier.xyz>,
Alvaro Herrera <alvherre@2ndquadrant.com>, David Steele <david@pgmasters.net>
Date: 2019-02-23T09:19:53Z
Lists: pgsql-hackers
I don't know much about GSSAPI, but from what I can tell, this seems an attractive feature, and the implementation is compact enough. I have done a bit of work on the internal SSL API refactoring, so I have some thoughts on this patch. Looking at the file structure, we would have be-secure.c be-secure-openssl.c be-secure-[othersslimpl].c be-secure-gssapi.c be-secure-common.c This implies a code structure that isn't really there. be-secure-common.c is used by SSL implementations but not by the GSSAPI implementation. Perhaps we should rename be-secure-openssl.c to be-ssl-openssl.c and be-secure-common.c to be-ssl-common.c. Or maybe we avoid that, and you rename be-secure-gssapi.c to just be-gssapi.c and also combine that with the contents of be-gssapi-common.c. (Or maybe both.) (And similarly in libpq.) About pg_hba.conf: The "hostgss" keyword seems a bit confusing. It only applies to encrypted gss-using connections, not all of them. Maybe "hostgssenc" or "hostgsswrap"? I don't see any tests in the patch. We have a Kerberos test suite at src/test/kerberos/ and an SSL test suite at src/test/ssl/. You can get some ideas there. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
GSSAPI encryption support
- b0b39f72b990 12.0 landed
-
Fix typo
- 57c932475504 9.6.0 cited