Naming of gss_accept_deleg
Why is the new PG 16 GUC called "gss_accept_deleg" and not
"gss_accept_delegation"? The abbreviation here seems atypical.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
Greetings,
* Bruce Momjian (bruce@momjian.us) wrote:
Why is the new PG 16 GUC called "gss_accept_deleg" and not
"gss_accept_delegation"? The abbreviation here seems atypical.
At the time it felt natural to me but I don't feel strongly about it,
happy to change it if folks would prefer it spelled out.
Thanks,
Stephen
On Fri, May 19, 2023 at 09:07:26AM -0400, Stephen Frost wrote:
Greetings,
* Bruce Momjian (bruce@momjian.us) wrote:
Why is the new PG 16 GUC called "gss_accept_deleg" and not
"gss_accept_delegation"? The abbreviation here seems atypical.At the time it felt natural to me but I don't feel strongly about it,
happy to change it if folks would prefer it spelled out.
Yes, please do spell it out, thanks. The fact "deleg" looks similar to
"debug" also doesn't help.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
At 2023-05-19 09:16:09 -0400, bruce@momjian.us wrote:
On Fri, May 19, 2023 at 09:07:26AM -0400, Stephen Frost wrote:
Why is the new PG 16 GUC called "gss_accept_deleg" and not
"gss_accept_delegation"? The abbreviation here seems atypical.At the time it felt natural to me but I don't feel strongly about it,
happy to change it if folks would prefer it spelled out.Yes, please do spell it out, thanks. The fact "deleg" looks similar to
"debug" also doesn't help.
Note that GSS-API itself calls it the "DELEG" flag:
if (conn->gcred != GSS_C_NO_CREDENTIAL)
gss_flags |= GSS_C_DELEG_FLAG;
I would also prefer a GUC named gss_accept_delegation, but the current
name matches the libpq gssdeleg connection parameter and the PGSSDELEG
environment variable. Maybe there's something to be said for keeping
those three things alike?
-- Abhijit
Abhijit Menon-Sen <ams@toroid.org> writes:
I would also prefer a GUC named gss_accept_delegation, but the current
name matches the libpq gssdeleg connection parameter and the PGSSDELEG
environment variable. Maybe there's something to be said for keeping
those three things alike?
+1 for spelling it out in all user-visible names. I do not think
that that GSS-API C symbol is a good precedent to follow.
regards, tom lane
On Fri, May 19, 2023 at 09:42:00AM -0400, Tom Lane wrote:
Abhijit Menon-Sen <ams@toroid.org> writes:
I would also prefer a GUC named gss_accept_delegation, but the current
name matches the libpq gssdeleg connection parameter and the PGSSDELEG
environment variable. Maybe there's something to be said for keeping
those three things alike?+1 for spelling it out in all user-visible names. I do not think
that that GSS-API C symbol is a good precedent to follow.
Once nice bonus of the release notes is that it allows us to see the new
API in one place to check for consistency.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
On Fri, May 19, 2023 at 09:42:00AM -0400, Tom Lane wrote:
Abhijit Menon-Sen <ams@toroid.org> writes:
I would also prefer a GUC named gss_accept_delegation, but the current
name matches the libpq gssdeleg connection parameter and the PGSSDELEG
environment variable. Maybe there's something to be said for keeping
those three things alike?+1 for spelling it out in all user-visible names. I do not think
that that GSS-API C symbol is a good precedent to follow.
+1
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
On Fri, May 19, 2023 at 07:58:34AM -0700, Nathan Bossart wrote:
On Fri, May 19, 2023 at 09:42:00AM -0400, Tom Lane wrote:
Abhijit Menon-Sen <ams@toroid.org> writes:
I would also prefer a GUC named gss_accept_delegation, but the current
name matches the libpq gssdeleg connection parameter and the PGSSDELEG
environment variable. Maybe there's something to be said for keeping
those three things alike?+1 for spelling it out in all user-visible names. I do not think
that that GSS-API C symbol is a good precedent to follow.+1
With less then 48 hours to beta 1 packaging, I have made this change and
adjusted internal variable to match.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
On Sat, May 20, 2023 at 09:33:44PM -0400, Bruce Momjian wrote:
With less then 48 hours to beta 1 packaging, I have made this change and
adjusted internal variable to match.
The buildfarm and cfbot seem unhappy with 9c0a0e2. It looks like there are
a few remaining uses of gss_accept_deleg to rename. I'm planning to commit
the attached patch shortly.
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
Attachments:
fix_9c0a0e2.patchtext/x-diff; charset=us-asciiDownload
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index c8018da04a..b090ec5245 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -101,7 +101,7 @@
# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
#krb_caseins_users = off
-#gss_accept_deleg = off
+#gss_accept_delegation = off
# - SSL -
diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index 39c035de32..5aff49a513 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -496,7 +496,7 @@ test_access(
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
);
-$node->append_conf('postgresql.conf', qq{gss_accept_deleg=off});
+$node->append_conf('postgresql.conf', qq{gss_accept_delegation=off});
$node->restart;
test_access(
@@ -520,7 +520,7 @@ test_access(
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
);
-$node->append_conf('postgresql.conf', qq{gss_accept_deleg=on});
+$node->append_conf('postgresql.conf', qq{gss_accept_delegation=on});
$node->restart;
test_access(
On Sat, May 20, 2023 at 08:17:57PM -0700, Nathan Bossart wrote:
On Sat, May 20, 2023 at 09:33:44PM -0400, Bruce Momjian wrote:
With less then 48 hours to beta 1 packaging, I have made this change and
adjusted internal variable to match.The buildfarm and cfbot seem unhappy with 9c0a0e2. It looks like there are
a few remaining uses of gss_accept_deleg to rename. I'm planning to commit
the attached patch shortly.
Yes, please do. I saw some matches in the tests but was confused since
my tests passed. I now realize I wasn't testing those.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
Nathan Bossart <nathandbossart@gmail.com> writes:
On Sat, May 20, 2023 at 09:33:44PM -0400, Bruce Momjian wrote:
With less then 48 hours to beta 1 packaging, I have made this change and
adjusted internal variable to match.
The buildfarm and cfbot seem unhappy with 9c0a0e2. It looks like there are
a few remaining uses of gss_accept_deleg to rename. I'm planning to commit
the attached patch shortly.
I thought the plan was to also rename the libpq "gssdeleg" connection
parameter and so on? I can look into that tomorrow, if nobody beats
me to it.
regards, tom lane
On Sat, May 20, 2023 at 11:21:57PM -0400, Tom Lane wrote:
Nathan Bossart <nathandbossart@gmail.com> writes:
On Sat, May 20, 2023 at 09:33:44PM -0400, Bruce Momjian wrote:
With less then 48 hours to beta 1 packaging, I have made this change and
adjusted internal variable to match.The buildfarm and cfbot seem unhappy with 9c0a0e2. It looks like there are
a few remaining uses of gss_accept_deleg to rename. I'm planning to commit
the attached patch shortly.I thought the plan was to also rename the libpq "gssdeleg" connection
parameter and so on? I can look into that tomorrow, if nobody beats
me to it.
Oh, I didn't consider those. I thought we would leave libpq alone since
those are often supplied on the command line and there are existing
short-style libpq options, e.g., gssencmode, krbsrvname, sslcrl.
I am fine with such a change though.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
On Sat, May 20, 2023 at 11:21:57PM -0400, Tom Lane wrote:
Nathan Bossart <nathandbossart@gmail.com> writes:
The buildfarm and cfbot seem unhappy with 9c0a0e2. It looks like there are
a few remaining uses of gss_accept_deleg to rename. I'm planning to commit
the attached patch shortly.
Done.
I thought the plan was to also rename the libpq "gssdeleg" connection
parameter and so on? I can look into that tomorrow, if nobody beats
me to it.
Please do.
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
At 2023-05-20 23:21:57 -0400, tgl@sss.pgh.pa.us wrote:
Nathan Bossart <nathandbossart@gmail.com> writes:
On Sat, May 20, 2023 at 09:33:44PM -0400, Bruce Momjian wrote:
With less then 48 hours to beta 1 packaging, I have made this change and
adjusted internal variable to match.The buildfarm and cfbot seem unhappy with 9c0a0e2. It looks like there are
a few remaining uses of gss_accept_deleg to rename. I'm planning to commit
the attached patch shortly.I thought the plan was to also rename the libpq "gssdeleg" connection
parameter and so on? I can look into that tomorrow, if nobody beats
me to it.
I was trying the change to see if it would be better to name it
"gssdelegate" instead (as in delegate on one side, and accept the
delegation on the other), but decided that "gssdelegation=enable"
reads better than "gssdelegate=enable".
Here's the diff.
-- Abhijit
Attachments:
gssdeleg.difftext/x-diff; charset=us-asciiDownload
diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out
index 826baac9f1..c8c4614b54 100644
--- a/contrib/postgres_fdw/expected/postgres_fdw.out
+++ b/contrib/postgres_fdw/expected/postgres_fdw.out
@@ -172,7 +172,7 @@ ALTER SERVER testserver1 OPTIONS (
--requirepeer 'value',
krbsrvname 'value',
gsslib 'value',
- gssdeleg 'value'
+ gssdelegation 'value'
--replication 'value'
);
-- Error, invalid list syntax
diff --git a/contrib/postgres_fdw/option.c b/contrib/postgres_fdw/option.c
index fe40d50c6d..5c301e0ef3 100644
--- a/contrib/postgres_fdw/option.c
+++ b/contrib/postgres_fdw/option.c
@@ -289,10 +289,10 @@ InitPgFdwOptions(void)
{"sslkey", UserMappingRelationId, true},
/*
- * gssdeleg is also a libpq option but should be allowed in a user
- * mapping context too
+ * gssdelegation is also a libpq option but should be allowed in
+ * a user mapping context too
*/
- {"gssdeleg", UserMappingRelationId, true},
+ {"gssdelegation", UserMappingRelationId, true},
{NULL, InvalidOid, false}
};
diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql
index 15f3af6c29..b54903ad8f 100644
--- a/contrib/postgres_fdw/sql/postgres_fdw.sql
+++ b/contrib/postgres_fdw/sql/postgres_fdw.sql
@@ -186,7 +186,7 @@ ALTER SERVER testserver1 OPTIONS (
--requirepeer 'value',
krbsrvname 'value',
gsslib 'value',
- gssdeleg 'value'
+ gssdelegation 'value'
--replication 'value'
);
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index cce25d06e6..e38a7debc3 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -2054,8 +2054,8 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
</listitem>
</varlistentry>
- <varlistentry id="libpq-connect-gssdeleg" xreflabel="gssdeleg">
- <term><literal>gssdeleg</literal></term>
+ <varlistentry id="libpq-connect-gssdelegation" xreflabel="gssdelegation">
+ <term><literal>gssdelegation</literal></term>
<listitem>
<para>
Forward (delegate) GSS credentials to the server. The default is
@@ -8271,10 +8271,10 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
<listitem>
<para>
<indexterm>
- <primary><envar>PGGSSDELEG</envar></primary>
+ <primary><envar>PGGSSDELEGATION</envar></primary>
</indexterm>
- <envar>PGGSSDELEG</envar> behaves the same as the <xref
- linkend="libpq-connect-gssdeleg"/> connection parameter.
+ <envar>PGGSSDELEGATION</envar> behaves the same as the <xref
+ linkend="libpq-connect-gssdelegation"/> connection parameter.
</para>
</listitem>
diff --git a/src/backend/foreign/foreign.c b/src/backend/foreign/foreign.c
index 6e1977fa62..ca3ad55b62 100644
--- a/src/backend/foreign/foreign.c
+++ b/src/backend/foreign/foreign.c
@@ -574,7 +574,7 @@ static const struct ConnectionOption libpq_conninfo_options[] = {
{"requiressl", ForeignServerRelationId},
{"sslmode", ForeignServerRelationId},
{"gsslib", ForeignServerRelationId},
- {"gssdeleg", ForeignServerRelationId},
+ {"gssdelegation", ForeignServerRelationId},
{NULL, InvalidOid}
};
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 0dc31988b4..de0e13e50d 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -97,7 +97,7 @@ pg_GSS_continue(PGconn *conn, int payloadlen)
if (!pg_GSS_have_cred_cache(&conn->gcred))
conn->gcred = GSS_C_NO_CREDENTIAL;
- if (conn->gssdeleg && pg_strcasecmp(conn->gssdeleg, "enable") == 0)
+ if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
gss_flags |= GSS_C_DELEG_FLAG;
maj_stat = gss_init_sec_context(&min_stat,
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 30486c59ba..786d22a770 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -343,9 +343,9 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"GSS-library", "", 7, /* sizeof("gssapi") == 7 */
offsetof(struct pg_conn, gsslib)},
- {"gssdeleg", "PGGSSDELEG", NULL, NULL,
+ {"gssdelegation", "PGGSSDELEGATION", NULL, NULL,
"GSS-delegation", "", 8, /* sizeof("disable") == 8 */
- offsetof(struct pg_conn, gssdeleg)},
+ offsetof(struct pg_conn, gssdelegation)},
{"replication", NULL, NULL, NULL,
"Replication", "D", 5,
@@ -4453,7 +4453,7 @@ freePGconn(PGconn *conn)
free(conn->gssencmode);
free(conn->krbsrvname);
free(conn->gsslib);
- free(conn->gssdeleg);
+ free(conn->gssdelegation);
free(conn->connip);
/* Note that conn->Pfdebug is not ours to close or free */
free(conn->write_err_msg);
diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
index 3b2d0fd140..268970eaa0 100644
--- a/src/interfaces/libpq/fe-secure-gssapi.c
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
@@ -622,14 +622,14 @@ pqsecure_open_gss(PGconn *conn)
if (ret != STATUS_OK)
return PGRES_POLLING_FAILED;
- if (conn->gssdeleg && pg_strcasecmp(conn->gssdeleg, "enable") == 0)
+ if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
{
/* Acquire credentials if possible */
if (conn->gcred == GSS_C_NO_CREDENTIAL)
(void) pg_GSS_have_cred_cache(&conn->gcred);
/*
- * We have credentials and gssdeleg is enabled, so request credential
+ * We have credentials and gssdelegation is enabled, so request credential
* delegation. This may or may not actually result in credentials
* being delegated- it depends on if the forwardable flag has been set
* in the credential and if the server is configured to accept
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index e985b57cb5..f1854f9919 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -404,7 +404,7 @@ struct pg_conn
char *krbsrvname; /* Kerberos service name */
char *gsslib; /* What GSS library to use ("gssapi" or
* "sspi") */
- char *gssdeleg; /* Try to delegate GSS credentials? */
+ char *gssdelegation; /* Try to delegate GSS credentials? */
char *ssl_min_protocol_version; /* minimum TLS protocol version */
char *ssl_max_protocol_version; /* maximum TLS protocol version */
char *target_session_attrs; /* desired session properties */
diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index 5aff49a513..ba307b36a2 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -381,7 +381,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -391,7 +391,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -480,7 +480,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -490,7 +490,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -504,7 +504,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -514,7 +514,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -528,7 +528,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)"
@@ -538,7 +538,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)"
@@ -558,7 +558,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdeleg=disable',
+ 'gssencmode=require gssdelegation=disable',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -572,7 +572,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3', 'dblink attempt fails without delegated credentials');
@@ -589,7 +589,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -608,7 +608,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf1;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3', 'postgres_fdw does not work without delegated credentials');
@@ -626,7 +626,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf2;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -668,7 +668,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, deleg_credentials=yes, principal=test1\@$realm)"
@@ -680,7 +680,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=disable gssdeleg=enable',
+ 'gssencmode=disable gssdelegation=enable',
'succeeds with GSS encryption disabled and hostnogssenc hba',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, deleg_credentials=yes, principal=test1\@$realm)"
@@ -691,7 +691,7 @@ test_query(
'test1',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
qr/^1$/s,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
);
@@ -700,7 +700,7 @@ test_query(
'test1',
"TABLE tf1;",
qr/^1$/s,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
);
@@ -711,7 +711,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdeleg=enable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -730,7 +730,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf2;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdeleg=enable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -760,7 +760,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssdeleg=enable',
+ 'gssdelegation=enable',
'succeeds with include_realm=0 and defaults',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)"
@@ -771,12 +771,12 @@ test_query(
'test1',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);",
qr/^1$/s,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'dblink works encrypted');
test_query(
$node, 'test1', "TABLE tf1;", qr/^1$/s,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'postgres_fdw works encrypted');
# Reset pg_hba.conf, and cause a usermap failure with an authentication
Abhijit Menon-Sen <ams@toroid.org> writes:
At 2023-05-20 23:21:57 -0400, tgl@sss.pgh.pa.us wrote:
I thought the plan was to also rename the libpq "gssdeleg" connection
parameter and so on? I can look into that tomorrow, if nobody beats
me to it.
I was trying the change to see if it would be better to name it
"gssdelegate" instead (as in delegate on one side, and accept the
delegation on the other), but decided that "gssdelegation=enable"
reads better than "gssdelegate=enable".
Yeah, agreed.
Here's the diff.
Thanks for doing that legwork! I found a couple other places where
"deleg" had escaped notice, and changed the lot. Watching the
buildfarm now ...
regards, tom lane
Greetings,
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
Abhijit Menon-Sen <ams@toroid.org> writes:
At 2023-05-20 23:21:57 -0400, tgl@sss.pgh.pa.us wrote:
I thought the plan was to also rename the libpq "gssdeleg" connection
parameter and so on? I can look into that tomorrow, if nobody beats
me to it.I was trying the change to see if it would be better to name it
"gssdelegate" instead (as in delegate on one side, and accept the
delegation on the other), but decided that "gssdelegation=enable"
reads better than "gssdelegate=enable".Yeah, agreed.
Here's the diff.
Thanks for doing that legwork! I found a couple other places where
"deleg" had escaped notice, and changed the lot. Watching the
buildfarm now ...
Thanks all for taking this up over a weekend.
Stephen
I noticed that the value that enables this feature at libpq client side
is 'enable'. However, for other Boolean settings like sslsni,
keepalives, requiressl, sslcompression, the value that enables feature
is '1' -- we use strings only for "enum" type of settings.
Also, it looks like connectOptions2() doesn't validate the string value.
--
Álvaro Herrera 48°01'N 7°57'E — https://www.EnterpriseDB.com/
<inflex> really, I see PHP as like a strange amalgamation of C, Perl, Shell
<crab> inflex: you know that "amalgam" means "mixture with mercury",
more or less, right?
<crab> i.e., "deadly poison"
Alvaro Herrera <alvherre@alvh.no-ip.org> writes:
I noticed that the value that enables this feature at libpq client side
is 'enable'. However, for other Boolean settings like sslsni,
keepalives, requiressl, sslcompression, the value that enables feature
is '1' -- we use strings only for "enum" type of settings.
Also, it looks like connectOptions2() doesn't validate the string value.
Hmm, it certainly seems like this ought to accept exactly the
same inputs as other libpq boolean settings. I can take a look
unless somebody else is already on it.
regards, tom lane
At 2023-05-22 09:42:44 -0400, tgl@sss.pgh.pa.us wrote:
Alvaro Herrera <alvherre@alvh.no-ip.org> writes:
I noticed that the value that enables this feature at libpq client side
is 'enable'. However, for other Boolean settings like sslsni,
keepalives, requiressl, sslcompression, the value that enables feature
is '1' -- we use strings only for "enum" type of settings.Also, it looks like connectOptions2() doesn't validate the string value.
Hmm, it certainly seems like this ought to accept exactly the
same inputs as other libpq boolean settings. I can take a look
unless somebody else is already on it.
I'm working on it.
-- Abhijit
At 2023-05-22 09:42:44 -0400, tgl@sss.pgh.pa.us wrote:
Alvaro Herrera <alvherre@alvh.no-ip.org> writes:
I noticed that the value that enables this feature at libpq client side
is 'enable'. However, for other Boolean settings like sslsni,
keepalives, requiressl, sslcompression, the value that enables feature
is '1' -- we use strings only for "enum" type of settings.Also, it looks like connectOptions2() doesn't validate the string value.
Hmm, it certainly seems like this ought to accept exactly the
same inputs as other libpq boolean settings. I can take a look
unless somebody else is already on it.
Here's the diff, but the 0/1 values of settings like sslsni and
sslcompression don't seem to be validated anywhere, unlike the string
options in connectOptions2, so I didn't do anything for gssdelegation.
(I've never run the Kerberos tests before, but I changed one
"gssdelegation=disable" to "gssdelegation=1" and got a test failure, so
they're probably working as expected.)
-- Abhijit
Attachments:
deleg-bool.difftext/x-diff; charset=us-asciiDownload
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index e38a7debc3..2225e4e0ef 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -2059,9 +2059,9 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
<listitem>
<para>
Forward (delegate) GSS credentials to the server. The default is
- <literal>disable</literal> which means credentials will not be forwarded
- to the server. Set this to <literal>enable</literal> to have
- credentials forwarded when possible.
+ <literal>0</literal> which means credentials will not be forwarded
+ to the server. Set this to <literal>1</literal> to have credentials
+ forwarded when possible.
</para>
</listitem>
</varlistentry>
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index de0e13e50d..88fd0f3d80 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -97,7 +97,7 @@ pg_GSS_continue(PGconn *conn, int payloadlen)
if (!pg_GSS_have_cred_cache(&conn->gcred))
conn->gcred = GSS_C_NO_CREDENTIAL;
- if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
+ if (conn->gssdelegation && conn->gssdelegation[0] == '1')
gss_flags |= GSS_C_DELEG_FLAG;
maj_stat = gss_init_sec_context(&min_stat,
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 786d22a770..a8584d2c68 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -343,8 +343,8 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"GSS-library", "", 7, /* sizeof("gssapi") == 7 */
offsetof(struct pg_conn, gsslib)},
- {"gssdelegation", "PGGSSDELEGATION", NULL, NULL,
- "GSS-delegation", "", 8, /* sizeof("disable") == 8 */
+ {"gssdelegation", "PGGSSDELEGATION", "0", NULL,
+ "GSS-delegation", "", 1,
offsetof(struct pg_conn, gssdelegation)},
{"replication", NULL, NULL, NULL,
diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
index c77d5cfe9f..7e373236e9 100644
--- a/src/interfaces/libpq/fe-secure-gssapi.c
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
@@ -622,7 +622,7 @@ pqsecure_open_gss(PGconn *conn)
if (ret != STATUS_OK)
return PGRES_POLLING_FAILED;
- if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
+ if (conn->gssdelegation && conn->gssdelegation[0] == '1')
{
/* Acquire credentials if possible */
if (conn->gcred == GSS_C_NO_CREDENTIAL)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index f1854f9919..0045f83cbf 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -404,7 +404,7 @@ struct pg_conn
char *krbsrvname; /* Kerberos service name */
char *gsslib; /* What GSS library to use ("gssapi" or
* "sspi") */
- char *gssdelegation; /* Try to delegate GSS credentials? */
+ char *gssdelegation; /* Try to delegate GSS credentials? (0 or 1) */
char *ssl_min_protocol_version; /* minimum TLS protocol version */
char *ssl_max_protocol_version; /* maximum TLS protocol version */
char *target_session_attrs; /* desired session properties */
diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index bff26fda0c..0deb9bffc8 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -381,7 +381,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -391,7 +391,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -480,7 +480,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -490,7 +490,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -504,7 +504,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -514,7 +514,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -528,7 +528,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -538,7 +538,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -558,7 +558,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdelegation=disable',
+ 'gssencmode=require gssdelegation=0',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
@@ -572,7 +572,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3', 'dblink attempt fails without delegated credentials');
@@ -589,7 +589,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -608,7 +608,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf1;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3', 'postgres_fdw does not work without delegated credentials');
@@ -626,7 +626,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf2;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=0",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -668,7 +668,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
@@ -680,7 +680,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=disable gssdelegation=enable',
+ 'gssencmode=disable gssdelegation=1',
'succeeds with GSS encryption disabled and hostnogssenc hba',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
@@ -691,7 +691,7 @@ test_query(
'test1',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
qr/^1$/s,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
);
@@ -700,7 +700,7 @@ test_query(
'test1',
"TABLE tf1;",
qr/^1$/s,
- 'gssencmode=prefer gssdelegation=enable',
+ 'gssencmode=prefer gssdelegation=1',
'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
);
@@ -711,7 +711,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -730,7 +730,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf2;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=1",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -760,7 +760,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssdelegation=enable',
+ 'gssdelegation=1',
'succeeds with include_realm=0 and defaults',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
@@ -771,12 +771,12 @@ test_query(
'test1',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);",
qr/^1$/s,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'dblink works encrypted');
test_query(
$node, 'test1', "TABLE tf1;", qr/^1$/s,
- 'gssencmode=require gssdelegation=enable',
+ 'gssencmode=require gssdelegation=1',
'postgres_fdw works encrypted');
# Reset pg_hba.conf, and cause a usermap failure with an authentication
Abhijit Menon-Sen <ams@toroid.org> writes:
Here's the diff, but the 0/1 values of settings like sslsni and
sslcompression don't seem to be validated anywhere, unlike the string
options in connectOptions2, so I didn't do anything for gssdelegation.
Thanks! I'll set to work on this. I assume we want to squeeze
it into beta1, so there's not much time.
regards, tom lane
Abhijit Menon-Sen <ams@toroid.org> writes:
Here's the diff,
Pushed, thanks.
but the 0/1 values of settings like sslsni and
sslcompression don't seem to be validated anywhere, unlike the string
options in connectOptions2, so I didn't do anything for gssdelegation.
Yeah. Perhaps it's worth adding code to validate boolean options,
but since nobody has noticed the lack of that for decades, I'm not
in a hurry to (especially not in a last-minute patch).
Also, I noticed that PGGSSDELEGATION had not been added to the lists of
environment variables to unset in pg_regress.c and Test/Utils.pm.
Dealt with that in the same commit.
regards, tom lane