| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Joe Conway <mail(at)joeconway(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, David Steele <david(at)pgmasters(dot)net>, Nico Williams <nico(at)cryptonector(dot)com>, Robbie Harwood <rharwood(at)redhat(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCH v20] GSSAPI encryption support |
| Date: | 2019-04-16 04:36:41 |
| Message-ID: | 20190416043641.GE2673@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Apr 15, 2019 at 08:24:52AM -0400, Stephen Frost wrote:
> The tests are really fast enough with one KDC that I don't think it
> makes sense to have two independent tests.
Perhaps you should add a comment about the need of unicity at the top
of 001_auth.pl with a short description of the test?
> Please find attached a patch which updates the protocol.sgml docs that
> Michael mentioned before, and merges the tests into one test file (while
> adding in some additional tests to make sure that the server also agrees
> with what our expectations are, using the pg_stat_gssapi view).
Thanks for addressing all that feedback. Parallel runs look more
stable on my side. At least it seems that I can re-enable it safely.
> I'll push this soon unless there are concerns. If you get a chance to
> test the patch out, that would be great. It's working happily for me
> locally.
+ calling gss_init_sec_context() in a loop and sending the result to the
Some markups should be added here for all function names. Not all the
clients use C either, so you may want to say "or equivalent"?
+test_access($node, 'test1', 'SELECT gss_authenticated AND encrypted
from pg_stat_gssapi where pid = pg_backend_pid();', 0, '', 'succeeds
with mapping with default gssencmode and host hba');
+test_access($node, "test1", 'SELECT gss_authenticated AND encrypted
from pg_stat_gssapi where pid = pg_backend_pid();', 0,
"gssencmode=prefer", "succeeds with GSS-encrypted access preferred
with host hba");
+test_access($node, "test1", 'SELECT gss_authenticated AND encrypted
from pg_stat_gssapi where pid = pg_backend_pid();', 0,
"gssencmode=require", "succeeds with GSS-encrypted access required
with host hba");
If you could rework a bit the indentation of the new code added in
kerberos/t/001_auth.pl that would be nice. I am afraid that the
current format makes debugging harder than necessary.
+$node->append_conf('pg_hba.conf',
+ qq{hostgssenc all all $hostaddr/32 gss map=mymap});
+$node->restart;
A reload should be enough but not race-condition free, which is why a
set of restarts is done in this test right? (I have noticed that it
is done this way since the beginning.)
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Noah Misch | 2019-04-16 05:22:31 | Re: [Patch] Mingw: Fix import library extension, build actual static libraries |
| Previous Message | Michael Paquier | 2019-04-16 03:57:53 | Re: New vacuum option to do only freezing |