Re: weird libpq GSSAPI comment

From: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Pg Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Robbie Harwood <rharwood(at)redhat(dot)com>
Subject: Re: weird libpq GSSAPI comment
Date: 2019-12-27 20:23:32
Message-ID: 20191227202332.GA20278@alvherre.pgsql
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 2019-Dec-27, Stephen Frost wrote:

> Maybe part of the confusion here is that there's two different things- a
> credential cache, and then a credential *handle*. Calling
> gss_acquire_cred() will, if a credential *cache* exists, return to us a
> credential *handle* (in the form of conn->gcred) that we then pass to
> gss_init_sec_context().

Hmm, ok, yeah I certainly didn't understand that -- I was thinking that
the call was creating the credential cache itself, not a *handle* to
access it (I suppose that terminology must be clear to somebody familiar
with GSS).

> Hopefully that helps. I'm certainly happy to work with you to reword
> the comment, of course, but let's make sure there's agreement and
> understanding of what the code does first.

How about this?

* If GSSAPI is enabled and we can reach a credential cache,
* set up a handle for it; if it's operating, just send a
* GSS startup message, instead of the SSL negotiation and
* regular startup message below.

Álvaro Herrera
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2019-12-27 22:36:56 Re: BUG #16059: Tab-completion of filenames in COPY commands removes required quotes
Previous Message Stephen Frost 2019-12-27 20:22:25 Re: Allow cluster owner to bypass authentication