From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
---|---|
To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
Cc: | Peter Eisentraut <peter(at)eisentraut(dot)org>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PoC] Federated Authn/z with OAUTHBEARER |
Date: | 2024-10-10 23:08:50 |
Message-ID: | CAOYmi+nqX_5=Se0W0Ynrr55Fha3CMzwv_R9P3rkpHb=1kG7ZTQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi all,
Here's v30, which aims to fix the infinite-retry problem: you get a
maximum of two OAuth connections to the server, and we won't prompt
the user more than once per transport. (I still need to wrap my head
around the retry behavior during transport negotiation.)
On Wed, Sep 11, 2024 at 3:54 PM Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
> On Wed, Sep 11, 2024 at 6:44 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> >
> > I think it's just make reviewing a bit easier. At this point I think they can
> > be merged together, it's mostly out of historic reasons IIUC since the patchset
> > earlier on supported more than one library.
>
> I can definitely do that (and yeah, it was to make the review slightly
> less daunting). The server side could potentially be committed
> independently, if you want to parallelize a bit, but it'd have to be
> torn back out if the libpq stuff didn't land in time.
I plan to do the combination in the near future, when I'm not making a
bunch of other changes at the same time.
> > > (I suppose the 0004 "review comments" patch should be folded into the respective other patches?)
>
> Yes. I'm using that patch as a holding area while I write tests for
> the hunks, and then moving them backwards.
This is almost gone; just one piece remaining as of v30. Everything
else has been folded in with new tests.
> > CURL_IGNORE_DEPRECATION(x;) broke pgindent, it needs to keep the semicolon on
> > the outside like CURL_IGNORE_DEPRECATION(x);. This doesn't really work well
> > with how the macro is defined, not sure how we should handle that best (the
> > attached makes the style as per how pgindent want's it with the semicolon
> > returned).
>
> Ugh... maybe a case for a pre_indent rule in pgindent?
I've taken a stab at a pre_indent rule that seems to work well enough
(though the regex itself is write-once-read-never).
> > There is a first stab at documenting the validator module API, more to come (it
> > doesn't compile right now).
> >
> > It contains a pgindent and pgperltidy run to keep things as close to in final
> > sync as we can to catch things like the curl deprecation macro mentioned above
> > early.
The rest of your second comments patch has been incorporated now, with
the exception of the following hunk:
- read($read_fh, $port, 7) // die "failed to read port number: $!";
+ read($read_fh, $port, 7) or die "failed to read port number: $!";
read() doesn't set $! unless it returns undef, according to the docs
[1]. A zero read (i.e. immediate EOF) will be handled further down.
> > To further pick away at this huge patch I propose to merge the SASL message
> > length hunk which can be extracted separately.
I've pulled this out into 0001.
Thanks,
--Jacob
Attachment | Content-Type | Size |
---|---|---|
v30-0001-Make-SASL-max-message-length-configurable.patch | application/octet-stream | 2.8 KB |
v30-0002-libpq-add-OAUTHBEARER-SASL-mechanism.patch | application/octet-stream | 121.0 KB |
v30-0003-backend-add-OAUTHBEARER-SASL-mechanism.patch | application/octet-stream | 74.5 KB |
v30-0004-Review-comments.patch | application/octet-stream | 2.6 KB |
v30-0005-DO-NOT-MERGE-Add-pytest-suite-for-OAuth.patch | application/octet-stream | 182.1 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | jian he | 2024-10-11 00:38:00 | Re: Set query_id for query contained in utility statement |
Previous Message | Masahiko Sawada | 2024-10-10 22:55:34 | Re: Make COPY format extendable: Extract COPY TO format implementations |