From: | Robbie Harwood <rharwood(at)redhat(dot)com> |
---|---|
To: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
Cc: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net> |
Subject: | Re: [PATCH v14] GSSAPI encryption support |
Date: | 2018-05-23 20:00:16 |
Message-ID: | jlg1se287n3.fsf@redhat.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hello -hackers,
Zombie patch is back from the dead. It's been a bit more than two years
since v12 (the last major revision) and almost three since it was
originally submitted. (I do have enough pride to point out that it did
not actually /take/ anywhere close to two years to update it.)
CC'd are reviewers from before; I appreciate their input from before,
but there is of course no obligation for them to page all this back in,
especially if they don't want to. A large chunk of this code is
unchanged from previous iterations of the patch, but this is a major
re-architect. Various things have also been previously fixed as part of
the GSSAPI testing efforts, for which I am grateful.
So: this is GSSAPI encryption support for libpq. Based on feedback on
previous versions, GSSAPI encryption has a separate negotiation step -
similar to SSL negotiation. I've tried to incorporate all other
feedback I've received thus far, but very likely missed things (and
introduced new problems).
To actually see encryption, you'll first need to configure the server as
for GSSAPI authentication. You'll also need to ensure the HBA
configuration has a rule that will permit it. However, there should
hopefully be enough information to set this up in the corresponding docs
changes (and if there isn't, I should fix it). The Kerberos/GSSAPI
implementation shouldn't matter, but I am testing using MIT krb5
(through freeIPA); I wrote a post a while back for my setup here:
https://mivehind.net/2015/06/11/kerberized-postgresql/
Finally, I've submitted this as a single patch because it was requested
previously. I'm happy to break it apart into many commits instead, if
that's helpful.
Thanks,
--Robbie
Attachment | Content-Type | Size |
---|---|---|
v14-libpq-GSSAPI-encryption-support.patch | text/x-diff | 74.5 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2018-05-23 20:03:12 | Re: [PATCH v14] GSSAPI encryption support |
Previous Message | Paolo Crosato | 2018-05-23 19:55:55 | Re: Error on vacuum: xmin before relfrozenxid |