Re: Kerberos delegation support in libpq and postgres_fdw

Stephen Frost <sfrost@snowman.net>

From: Stephen Frost <sfrost@snowman.net>
To: David Christensen <david@pgguru.net>
Cc: pgsql-hackers@lists.postgresql.org
Date: 2023-04-07T21:48:46Z
Lists: pgsql-hackers

Attachments

Greetings,

* David Christensen (david@pgguru.net) wrote:
> Reviewed v8; largely looking good, though I notice this hunk, which may
> arguably be a bug fix, but doesn't appear to be relevant to this specific
> patch, so could probably be debated independently (and if a bug, should
> probably be backpatched):
> 
> diff --git a/contrib/postgres_fdw/option.c b/contrib/postgres_fdw/option.c
> index 4229d2048c..11d41979c6 100644
> --- a/contrib/postgres_fdw/option.c
> +++ b/contrib/postgres_fdw/option.c
> @@ -288,6 +288,9 @@ InitPgFdwOptions(void)
>   {"sslcert", UserMappingRelationId, true},
>   {"sslkey", UserMappingRelationId, true},
> 
> + /* gssencmode is also libpq option, same to above. */
> + {"gssencmode", UserMappingRelationId, true},
> +
>   {NULL, InvalidOid, false}
>   };

Hmm, yeah, hard to say if that makes sense at a user-mapping level or
not.  Agreed that we could have an independent discussion regarding
that and if it should be back-patched, so removed it from this patch.

> That said, should "gssdeleg" be exposed as a user mapping?  (This shows up
> in postgresql_fdw; not sure if there are other places that would be
> relevant, like in dblink somewhere as well, just a thought.)

Ah, yeah, that certainly makes sense to have as optional for a user
mapping.  dblink doesn't have the distinction between server-level
options and user mapping options (as it doesn't have user mappings at
all really) so it doesn't have something similar.

Updated patch attached.

Thanks!

Stephen

Commits

  1. Add support for Kerberos credential delegation