Re: pg16 && GSSAPI && Heimdal/Macos

On Wed, May 28, 2025 at 9:25 AM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> Personally, I'd be more happy to "maintain GSS on Mac using
> non-deprecated interfaces" than "maintain GSS via Heimdal,
> best-effort, some of the time". I think the former puts less of a
> burden on our testing matrix.

I was curious enough to put in some time to get GSS.framework
compiling via Autoconf, and I might as well share the ugly code I've
got. There are some similarities to Todd's earlier patch, but
decisions are made at different places; it detects either MIT Kerberos
or GSS.framework. And I haven't looked at the Meson side yet.

- I am not well-versed in frameworks. There's a bunch of namespace
pollution in Apple's GSS headers, and I'm hoping I'm missing some
magic #define to make that all go away.

- My handling of pg_store_delegated_credential() here isn't something
I'm seriously proposing. I think we should find a way to get it
working on Mac, using Nico's notes upthread. I can't commit to working
on that myself, but I'm definitely willing to put some review cycles
in, since I reviewed a bit of the original delegation feature.

- I also want to draw attention to the fact that libpq can't claim
that a credential is delegated if it's not; that breaks the security
of our FDWs. So pg_store_delegated_credential() cannot be a no-op.

--Jacob