| From: | "Drouvot, Bertrand" <bdrouvot(at)amazon(dot)com> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Jacob Champion <jchampion(at)timescale(dot)com>, Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Joe Conway <mail(at)joeconway(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: SYSTEM_USER reserved word implementation |
| Date: | 2022-08-25 18:21:05 |
| Message-ID: | 40b4e4d0-d034-ea19-3ec3-1557f498770f@amazon.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On 8/24/22 8:26 PM, Drouvot, Bertrand wrote:
> Hi,
>
> On 8/24/22 6:27 AM, Michael Paquier wrote:
>> On Wed, Aug 17, 2022 at 04:48:42PM +0200, Drouvot, Bertrand wrote:
>>> That way one could test the SYSTEM_USER behavior without the need to
>>> have
>>> kerberos enabled.
>> I was looking at this patch
>
> Thanks for looking at it!
>
>> and noticed that SYSTEM_USER returns a
>> "name", meaning that the value would be automatically truncated at 63
>> characters. We shouldn't imply that as authn_ids can be longer than
>> that, and this issue gets a bit worse once with the auth_method
>> appended to the string.
>
> Good catch! I'll fix that in the next version.
>
> Hmm, I think it would make sense to keep system_user() with his
> friends current_user() and session_user().
>
> But now that system_user() will not return a name anymore (but a
> text), I think name.c is no longer the right place, what do you think?
> (If so, where would you suggest?)
system_user() now returns a text and I moved it to miscinit.c in the new
version attached (I think it makes more sense now).
>
>>
>> +if (!$use_unix_sockets)
>> +{
>> + plan skip_all =>
>> + "authentication tests cannot run without Unix-domain sockets";
>> +}
>>
>> Are you sure that !$use_unix_sockets is safe here? Could we have
>> platforms where we use our port's getpeereid() with $use_unix_sockets
>> works? That would cause the test to fail with ENOSYS. Hmm. Without
>> being able to rely on HAVE_GETPEEREID, we could check for the error
>> generated when the fallback implementation does not work, and skip the
>> rest of the test.
>
> Oh right, I did not think about that, thanks for the suggestion.
>
> I'll change this in the next version and simply skip the rest of the
> test in case we get "peer authentication is not supported on this
> platform".
>
New version attached is also addressing Michael's remark regarding the
peer authentication TAP test.
Regards,
--
Bertrand Drouvot
Amazon Web Services: https://aws.amazon.com
| Attachment | Content-Type | Size |
|---|---|---|
| v2-0007-system_user-implementation.patch | text/plain | 17.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2022-08-25 18:45:05 | Re: pg_receivewal and SIGTERM |
| Previous Message | Pavel Stehule | 2022-08-25 17:49:38 | Re: Schema variables - new implementation for Postgres 15 |