Re: Kerberos delegation support in libpq and postgres_fdw

Greetings,

(Dropping the original poster as their email address apparently no
longer works)

* Peter Eisentraut (peter(dot)eisentraut(at)enterprisedb(dot)com) wrote:
> On 22.07.21 10:39, Peifeng Qiu wrote:
> >I've slightly modified the patch to support "gssencmode" and added TAP
> >tests.
>
> For the TAP tests, please put then under src/test/kerberos/, instead of
> copying the whole infrastructure to contrib/postgres_fdw/. Just make a new
> file, for example t/002_postgres_fdw_proxy.pl, and put your tests there.

I've incorporated the tests into the existing kerberos/001_auth.pl as
there didn't seem any need to create another file.

> Also, you can put code and tests in one patch, no need to separate.

Done. Also rebased and updated for the changes in the TAP testing
infrastructure and other changes. Also added code to track if
credentials were forwarded or not and to log that information.

> I wonder if this feature would also work in dblink. Since there is no
> substantial code changes in postgres_fdw itself as part of this patch, I
> would suspect yes. Can you check?

Yup, this should work fine. I didn't include any explicit testing of
postgres_fdw or dblink in this, yet. Instead, for the moment at least,
I've added to the connection log message an indiciation of if
credentials were passed along with the connection along with tests of
both the negative case and the positive case. Not sure if that's useful
information to have in pg_stat_gssapi, but if so, then we could add it
there pretty easily.

I'm happy to try and get testing with postgres_fdw and dblink working
soon though, assuming there aren't any particular objections to moving
this forward.

Will add to the CF for consideration.

Thanks,

Stephen