From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
Subject: | Re: longfin missing gssapi_ext.h |
Date: | 2023-04-08 18:04:41 |
Message-ID: | ZDGsuQ6FqdFUyDft@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Greetings,
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > I suspected there would be an issue with OSX but hadn't expected an
> > issue with NetBSD. I had tested this across a few Linux platforms and
> > cfbot showed it wasn't causing issues on Windows or the platforms that
> > are run there. Would be really great to have a way to test these things
> > out on these other platforms other than just committing them and seeing
> > what happens on the buildfarm.
>
> I poked around a bit more and found that:
>
> * NetBSD's package collection[1] includes both Heimdal and MIT Kerberos
> (mit-krb5). Apparently what's installed on at least some of the buildfarm
> animals is the former.
>
> * FreeBSD seems to offer *only* Heimdal [2]; OpenBSD ditto [3].
>
> * I cannot find any sign of either gss_store_cred_into or gssapi_ext.h
> in FreeBSD's Heimdal (7.8.0_6).
>
> So it does not look like supporting Heimdal is going to be optional,
> and that means the credential delegation feature is going to have
> to be optional, or else we need to find some equivalent Heimdal APIs.
Thanks for doing that digging!
I've been looking too and while Heimdal added gss_store_cred_into in
their development branch 5 years ago[1] (!), it's not made it into an
actual release. Good that they seem to at least be maintaining it
enough to deal with CVEs, but unfortunately I'm fairly confident that
there won't be a way to support constrained delegation (which is the
next goal, once unconstrained delegation is in and working) on the
Heimdal platforms. I suspected that would have to be optional anyway,
but I hadn't expected it to hit all the BSD platforms.
In any case, for this I'm working switching over to gss_store_cred()
which does seem to be available in the Heimdal Debian packages that I
was able to install locally (looks to be 7.7.0) and should work just
fine for these purposes, though it requires a bit more work on the
libpq side as we need to tell libpq explicitly the name which was on
the delegated credential when we call gss_acquire_cred().
Once that's done, should be able to drop the gssapi_ext.h include
entirely and still have the test suite able to run with MIT Kerberos.
One thing I'm on the fence about is trying to make the test suite
actually work with Heimdal.. I'm planning to install the Heimdal KDC,
et al, and see what happens but if it ends up looking like it's a lot of
work then I might forgo that effort. I'm not sure it's really necessary
but I could be argued out of that position without too much effort. The
stated Heimdal goal is to be a re-implementation of MIT Kerberos and
these are all documented APIs with RFCs, after all.
> I share your feeling that we could probably blow off Apple's built-in
> GSSAPI. MacPorts offers both Heimdal and kerberos5, and I imagine
> Homebrew has at least one of them, so Mac people could easily get
> hold of newer implementations. But the BSDen are going to be a
> problem.
Yeah. Unfortunate that Heimdal doesn't seem to really be moving forward
in terms of new development.
Thanks,
Stephen
[1] https://github.com/heimdal/heimdal/commit/e0bb9c10cad0fd98245caecf8af8fca855b2df49
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2023-04-08 18:08:16 | Re: Direct I/O |
Previous Message | Tom Lane | 2023-04-08 17:51:54 | Re: Parallel Full Hash Join |