Participants
David Zhang
David Zhang
Attachments
Thread Outline
#1David ZhangDavid Zhang
Mar 05, 2020

kerberos regression test enhancement

Started by David Zhangalmost 6 years ago1 messages
#1David Zhang
David Zhang
david.zhang@highgo.ca
1 attachment(s)

Hi Hackers,

I found one interesting behavior when "--with-gssapi" is enabled,

given a very "common" configuration in gp_hba.conf like below,

    host            postgres    david   192.168.0.114/32    trust

the query message is always encrypted when using a very "common" way
connect to PG server,

    $ psql -h pgserver -d postgres -U david

unless I specify "gssencmode=disable" with -d option,

    $ psql -h pgserver -U david  -d "dbname=postgres gssencmode=disable"

Based on above behaviors, I did a further exercise on kerberos
regression test and found the test coverage is not enough. It should be
enhanced to cover the above behavior when user specified a "host"
followed by "trust" access in pg_hba.conf.

the attachment is a patch to cover the behaviors mentioned above for
kerberos regression test.

Any thoughts?

Thanks,

--
David

Software Engineer
Highgo Software Inc. (Canada)
www.highgo.ca

Attachments:

001_auth.pl-host-trust.patchtext/plain; charset=UTF-8; name=001_auth.pl-host-trust.patch; x-mac-creator=0; x-mac-type=0Download
diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index b3aeea9574..7c2e65ce76 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -19,7 +19,7 @@ use Test::More;
 
 if ($ENV{with_gssapi} eq 'yes')
 {
-	plan tests => 18;
+	plan tests => 20;
 }
 else
 {
@@ -333,3 +333,25 @@ test_access(
 	0,
 	'',
 	'succeeds with include_realm=0 and defaults');
+
+truncate($node->data_dir . '/pg_ident.conf', 0);
+unlink($node->data_dir . '/pg_hba.conf');
+$node->append_conf('pg_hba.conf',
+	qq{host all all $hostaddr/32 trust});
+$node->restart;
+
+test_access(
+	$node,
+	'test1',
+	'SELECT not gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
+	0,
+	'',
+	'succeeds with GSS-encrypted with default gssencmode and host trust hba');
+
+test_access(
+	$node,
+	"test1",
+	'SELECT not gss_authenticated and not encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
+	0,
+	"gssencmode=disable",
+	"succeeds with GSS encryption disabled with access disabled and host trust hba");
← Back to Topics