Re: [PATCH v18] GSSAPI encryption support - Mailing list pgsql-hackers

From Nico Williams
Subject Re: [PATCH v18] GSSAPI encryption support
Date
Msg-id 20180611230026.GC23356@localhost
Whole thread Raw
In response to Re: [PATCH v18] GSSAPI encryption support  (Robbie Harwood <rharwood@redhat.com>)
Responses Re: [PATCH v18] GSSAPI encryption support
List pgsql-hackers
On Mon, Jun 11, 2018 at 04:11:10PM -0400, Robbie Harwood wrote:
> Nico was kind enough to provide me with some code review.  This should
> those concerns (clarify short-read behavior and fixing error checking on
> GSS functions).

Besides the bug you fixed and which I told you about off-list (on IRC,
specifically), I only have some commentary that does not need any
action:

 - support for non-Kerberos/default GSS mechanisms

   This might require new values for gssmode: prefer-<mechanism-name>
   and require-<mechanism-name>.  One could always use SPNEGO if there
   are multiple mechanisms to choose from.  And indeed, you could just
   use SPNEGO if the user has credentials for multiple mechanism.

   (Because GSS has no standard mechanism _names_, this means making
   some up.  This is one obnoxious shortcoming of the GSS-API...)


 - when the SCRAM channel binding work is done, it might be good to add
   an option for TLS + GSS w/ channel binding to TLS and no gss wrap
   tokens


Nico
-- 


pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: why partition pruning doesn't work?
Next
From: Tom Lane
Date:
Subject: Re: why partition pruning doesn't work?