From: | Daniel Carter <danielchriscarter+postgres(at)gmail(dot)com> |
---|---|
To: | Aleksander Alekseev <aleksander(at)timescale(dot)com> |
Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: PATCH: Add GSSAPI ccache_name option to libpq |
Date: | 2021-04-20 16:28:46 |
Message-ID: | 0f752a59-b77f-3446-ed7f-56906b5ad264@gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi Aleksander,
On 20/04/2021 11:30, Aleksander Alekseev wrote:
> Hi Daniel,
>
>> It's my first go at submitting a patch -- it works as far as I can tell,
>> but I suspect there will probably still be stuff to fix before it's
>> ready to use!
>
> You are doing great :)
Thanks for the encouragement!
> There are several other things worth checking:
> 0. Always run `make distclean` before following steps
> 1. Make sure `make -j4 world && make -j4 check-world` passes
> 2. Make sure `make install-world` and `make installcheck-world` passes
> 3. Since you are changing the documentation it's worth checking that
> it displays properly. The documentation is in the
> $(PGINSTALL)/share/doc/postgresql/html directory
>
> Several years ago I published some scripts that simplify all this a
> little: https://github.com/afiskon/pgscripts, especially step 3. They
> may require some modifications for your OS of choice. Please read
> https://wiki.postgresql.org/wiki/Submitting_a_Patch for more
> information.
Thanks for the advice (and the script repository).
One thing this has identified is an implicit declaration error on the
gss_krb5_ccache_name call (the code was still working so I presume it
must get included at some point, although I can't see exactly where).
This can be fixed easily enough just by adding a `#include
<gssapi/gssapi_krb5.h>` line to libpq-int.h, although I don't know
whether this wants to be treated differently because (as far as I can
tell) it's a Kerberos-specific feature rather than something which any
GSSAPI service could use (hence it being in gssapi_krb5.h rather than
gssapi.h) and so might end up breaking other things?
(It looks like current versions of both MIT Kerberos and Heimdal use
<gssapi/gssapi.h> rather than <gssapi.h>, although Heimdal previously
had all its GSSAPI functionality, including this gss_krb5_ccache_name
function, in <gssapi.h>.)
> Generally speaking, it also a good idea to add some test cases for
> your code, although I understand why it might be a little complicated
> in this particular case. Maybe you could at least tell us how it can
> be checked manually that this code actually does what is supposed to?
Something like the following code hopefully demonstrates how it's
supposed to work:
> const char *conninfo = "dbname='test' user='test' host='krb.local' port='5432' ccache_name='/home/user/test/krb5cc_1000'";
> PGconn *conn;
>
> conn = PQconnectdb(conninfo);
>
> if(PQstatus(conn) != CONNECTION_OK) {
> fprintf(stderr, "Connection to database failed: %s\n", PQerrorMessage(conn));
> } else {
> printf("Connection succeeded\n");
> }
> PQfinish(conn);
Hopefully this example gives some sort of guide to its intended purpose
-- the ccache_name parameter in the connection string specifies a
(non-standard) location for the credential cache, which is then used by
libpq to fetch data from the database via GSSAPI authentication.
Many thanks,
Daniel
From | Date | Subject | |
---|---|---|---|
Next Message | Tomas Vondra | 2021-04-20 16:38:01 | Re: Synchronous commit behavior during network outage |
Previous Message | Aleksander Alekseev | 2021-04-20 16:23:42 | Re: Synchronous commit behavior during network outage |