Re: Proposal: Save user's original authenticated identity for logging
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Jacob Champion <pchampion@vmware.com>
Cc: "magnus@hagander.net" <magnus@hagander.net>, "stark@mit.edu" <stark@mit.edu>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, "sfrost@snowman.net" <sfrost@snowman.net>, "tgl@sss.pgh.pa.us" <tgl@sss.pgh.pa.us>
Date: 2021-03-22T06:16:32Z
Lists: pgsql-hackers
Attachments
- v8-0001-ssl-store-client-s-DN-in-port-peer_dn.patch (text/x-diff) patch v8-0001
- v8-0002-Log-authenticated-identity-from-all-auth-backends.patch (text/x-diff) patch v8-0002
On Fri, Mar 19, 2021 at 06:37:05PM +0000, Jacob Champion wrote: > The same effect can be had by moving the log rotation to the top of the > test that needs it, so I've done it that way in v7. After thinking more about 0001, I have come up with an even simpler solution that has resulted in 11e1577. That's similar to what PostgresNode::issues_sql_like() does. This also makes 0003 simpler with its changes as this requires to change two lines in test_access. > Turns out it's easy now to have our cake and eat it too; a single if > statement can implement the same search-forward functionality that was > spread across multiple places before. So I've done that too. I have briefly looked at 0002 (0001 in the attached set), and it seems sane to me. I still need to look at 0003 (well, now 0002) in details, which is very sensible as one mistake would likely be a CVE-class bug. -- Michael
Commits
-
Add missing $Test::Builder::Level settings
- 73aa5e0cafd0 15.0 landed
- e536a2683439 14.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 landed
-
Fix some issues with SSL and Kerberos tests
- 5a71964a832f 14.0 landed
-
Refactor all TAP test suites doing connection checks
- c50624cdd248 14.0 landed