| From: | vignesh C <vignesh21(at)gmail(dot)com> |
|---|---|
| To: | Bharath Rupireddy <bharath(dot)rupireddyforpostgres(at)gmail(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Log message for GSS connection is missing once connection authorization is successful. |
| Date: | 2020-10-29 05:31:21 |
| Message-ID: | CALDaNm19ZLhhg1c9VmXjmo1vUOyzZL83BzhSUyrccQJyBvgeuA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Thanks Bharath for your comments.
On Wed, Oct 28, 2020 at 9:48 AM Bharath Rupireddy
<bharath(dot)rupireddyforpostgres(at)gmail(dot)com> wrote:
>
> On Wed, Oct 28, 2020 at 8:29 AM vignesh C <vignesh21(at)gmail(dot)com> wrote:
> >
> > Log message for GSS connection is missing once connection
> > authorization is successful. We have similar log messages for SSL
> > connections once the connection authorization is successful. This
> > message will help the user to identify the connection that was
> > selected from the logfile. I'm not sure if this log message was
> > intentionally left out due to some reason for GSS.
> > If the above analysis looks correct, then please find a patch that
> > adds log for gss connections.
> >
> > Thoughts?
> >
>
> +1 for the idea. This is useful in knowing whether or not the user is
> authenticated using GSS APIs.
>
> Here are few comments on the patch:
>
> 1. How about using(like below) #ifdef, #elif ... #endif directives
> instead of #ifdef, #endif, #ifdef, #endif?
>
> #ifdef USE_SSL
> blah,blah,blah...
> #elif defined(ENABLE_GSS)
> blah,blah,blah...
> #else
> blah,blah,blah...
> #endif
>
I preferred the way it is in the patch to maintain the similar style
that is used in other places like fe-connect.c.
> 2. I think we must use be_gssapi_get_auth(port) instead of
> be_gssapi_get_enc(port) in the if condition, because we log for gss
> authentications irrespective of encoding is enabled or not. Put it
> another way, maybe gss authentications are possible without
> encoding[1]. We can have the information whether the encryption is
> enabled or not in the log message, be_gssapi_get_enc(port) ? _("on") :
> _("off"),.
> #ifdef ENABLE_GSS
> if (be_gssapi_get_enc(port))
> ereport(LOG,
>
> We do not need be_gssapi_get_auth(port) ? _("on") : _("off") this in
> the log message, only in the if condition we need this check.
>
> [1] By looking at the below code it seems that gss authentication
> without encryption is possible.
> #ifdef ENABLE_GSS
> port->gss->auth = true;
> if (port->gss->enc)
> status = pg_GSS_checkauth(port);
> else
> {
> sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
> status = pg_GSS_recvauth(port);
> }
Stephen also shared his thoughts for the above changes, I have
provided an updated patch for the same in the previous mail. Please
have a look and let me know if you have any comments.
Regards,
Vignesh
EnterpriseDB: http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Craig Ringer | 2020-10-29 06:10:56 | Re: Internal key management system |
| Previous Message | David G. Johnston | 2020-10-29 05:21:00 | Re: A new function to wait for the backend exit after termination |