| From: | Nico Williams <nico(at)cryptonector(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | kovert(at)omniscient(dot)com, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: pg16 && GSSAPI && Heimdal/Macos |
| Date: | 2025-04-08 05:35:39 |
| Message-ID: | Z/S1q30Nv4JZrvzf@ubby |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Dec 06, 2023 at 10:57:15PM -0500, Tom Lane wrote:
> The immediate reason for dropping that support is that Heimdal doesn't
> have gss_store_cred_into(), without which we can't support delegated
> credentials. AFAICT, Apple's version doesn't have that either.
> We could argue about how important that feature is and whether it'd be
> okay to have an Apple-only build option to not have it. However...
Heimdal in the master branch sure does; I'm the author if
gss_store_cred_into() and gss_store_cred_into2(). Idk when we'll do an
8.0 release though. We've run out of steam. The reality is that the
world needs PostgreSQL to support OAuth w/ JWT more than the world needs
Kerberos or Heimdal's implementation of it.
> ... there's another good reason to shy away from relying on Apple's
> library, which is that they've conspicuously marked all the standard
> Kerberos functions as deprecated. It's not clear if that means
> they're planning to remove them outright, but surely it's an indicator
> that Apple doesn't want outside code calling them.
The krb5 API is horrible. Do not use it if you can avoid it. The
GSS-API is better, mostly.
Nico
--
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Rahila Syed | 2025-04-08 05:40:34 | Re: Enhancing Memory Context Statistics Reporting |
| Previous Message | Tom Lane | 2025-04-08 05:26:59 | Re: [PATCH] clarify palloc comment on quote_literal_cstr |