| From: | Nico Williams <nico(at)cryptonector(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | kovert(at)omniscient(dot)com, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: pg16 && GSSAPI && Heimdal/Macos |
| Date: | 2025-04-08 06:17:02 |
| Message-ID: | Z/S/XuLjKC6QFTUX@ubby |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Dec 06, 2023 at 10:57:15PM -0500, Tom Lane wrote:
> The immediate reason for dropping that support is that Heimdal doesn't
> have gss_store_cred_into(), without which we can't support delegated
> credentials. AFAICT, Apple's version doesn't have that either.
> We could argue about how important that feature is and whether it'd be
> okay to have an Apple-only build option to not have it. However...
Ok I took a look as I was wondering why even bother calling
gss_store_cred_into() or any flavor of gss_store_cred*() in postgres. I
see that you always store delegated credentials into a MEMORY: cache,
but... do you ever use the delegated credentials? Yes, possibly through
postgres_fdw, as that uses libpq, and libpq is the only place that calls
gss_init_sec_context().
(Makes me wonder though how that's going to work with OAuth w/ JWT.
Perhaps postgres_fdw should use local credentials rather than those
delegated by the client, but then... which credentials? That could be
configurable by database, I suppose.)
If, however, you kept the gss_cred_id_t deleg. cred. handle output by
gss_accept_sec_context() then you could use those outright and not need
to store the creds.
In other words: you may not need gss_store_cred_into().
Also, if you set KRB5CCNAME=MEMORY: _before_ storing the delegated
credentials then gss_store_cred() is good enough and you don't need
gss_store_cred_into() or gss_store_cred_into2().
ASIDE: To use delegated credentials means:
a) you would pass them (without having to "store" them) to
gss_init_sec_context() to impersonate the initiator principal to some
other service,
and/or
b) you would use gss_store_cred()/ gss_store_cred_into() /
gss_store_cred_into2() to store the crendentials into a ccache of
type FILE:, DIR:, API:, or KCM: and then spawn (fork/exec,
posix_spawn()) a process that would use it, or send the name of that
ccache to a process that would use it, where "use it" means to call
gss_init_sec_context() using that ccache (or a credential handle
acquired from that ccache with gss_acquire_cred_from()).
Since you're using a MEMORY: ccache we can safely assume that letting
another process access it is not the use-case for storing deleg. creds.,
as only fork() progeny that don't exec can access the same MEMORY:
ccache:
Nico
--
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2025-04-08 06:18:40 | Re: pg16 && GSSAPI && Heimdal/Macos |
| Previous Message | Thomas Munro | 2025-04-08 06:11:04 | Re: BAS_BULKREAD vs read stream |