Re: [PATCH v20] GSSAPI encryption support

Greetings,

* Robbie Harwood (rharwood(at)redhat(dot)com) wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > On Wed, Apr 3, 2019 at 08:49:25AM +0200, Magnus Hagander wrote:
> >> On Wed, Apr 3, 2019 at 12:22 AM Joe Conway <mail(at)joeconway(dot)com> wrote:
> >>
> >> Personally I don't find it as confusing as is either, and I find
> >> hostgss to be a good analog of hostssl. On the other hand hostgssenc
> >> is long and unintuitive. So +1 for leaving as is and -1 one for
> >> changing it IMHO.
> >>
> >> I think for those who are well versed in pg_hba (and maybe gss as
> >> well), it's not confusing. That includes me.
> >>
> >> However, for a new user, I can definitely see how it can be
> >> considered confusing. And confusion in *security configuration* is
> >> always a bad idea, even if it's just potential.
> >>
> >> Thus +1 on changing it.
> >>
> >> If it was on the table it might have been better to keep hostgss and
> >> change the authentication method to gssauth or something, but that
> >> ship sailed *years* ago.
> >
> > Uh, did we consider keeping hostgss and changing the auth part at the
> > end to "gssauth"?
>
> I think that was implicitly rejected because we'd have to keep the
> capability to configure "gss" there else break compatibility.

Right, if we changed the name of the auth method then everyone who is
using the "gss" auth method would have to update their pg_hba.conf
files... That would be very ugly. Also, it wasn't implicitly rejected,
it was discussed up-thread (see the comments between Magnus and I,
specifically, quoted above- "that ship sailed *years* ago") and
explicitly rejected.

Thanks!

Stephen