| From: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Pg Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Robbie Harwood <rharwood(at)redhat(dot)com> |
| Subject: | Re: weird libpq GSSAPI comment |
| Date: | 2019-12-27 20:23:32 |
| Message-ID: | 20191227202332.GA20278@alvherre.pgsql |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2019-Dec-27, Stephen Frost wrote:
> Maybe part of the confusion here is that there's two different things- a
> credential cache, and then a credential *handle*. Calling
> gss_acquire_cred() will, if a credential *cache* exists, return to us a
> credential *handle* (in the form of conn->gcred) that we then pass to
> gss_init_sec_context().
Hmm, ok, yeah I certainly didn't understand that -- I was thinking that
the call was creating the credential cache itself, not a *handle* to
access it (I suppose that terminology must be clear to somebody familiar
with GSS).
> Hopefully that helps. I'm certainly happy to work with you to reword
> the comment, of course, but let's make sure there's agreement and
> understanding of what the code does first.
How about this?
* If GSSAPI is enabled and we can reach a credential cache,
* set up a handle for it; if it's operating, just send a
* GSS startup message, instead of the SSL negotiation and
* regular startup message below.
--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2019-12-27 22:36:56 | Re: BUG #16059: Tab-completion of filenames in COPY commands removes required quotes |
| Previous Message | Stephen Frost | 2019-12-27 20:22:25 | Re: Allow cluster owner to bypass authentication |