Re: Kerberos delegation support in libpq and postgres_fdw - Mailing list pgsql-hackers
From | Robert Haas |
---|---|
Subject | Re: Kerberos delegation support in libpq and postgres_fdw |
Date | |
Msg-id | CA+TgmoY-J-06zaNSzUARgBykzxErahnTcmcS4HvP4zujHVXfRg@mail.gmail.com Whole thread Raw |
In response to | Re: Kerberos delegation support in libpq and postgres_fdw (Stephen Frost <sfrost@snowman.net>) |
Responses |
Re: Kerberos delegation support in libpq and postgres_fdw
|
List | pgsql-hackers |
On Fri, Apr 8, 2022 at 8:21 AM Stephen Frost <sfrost@snowman.net> wrote: > Added an explicit 'environment' option to allow for, basically, existing > behavior, where we don't mess with the environment variable at all, > though I kept the default as MEMORY since I don't think it's really > typical that folks actually want regular user backends to inherit the > credential cache of the server. > > Added a few more tests and updated the documentation too. Sadly, seems > we've missed the deadline for v15 though for lack of feedback on these. > Would really like to get some other folks commenting as these are new > pg_hba and postgresql.conf options being added. Hi, I don't think this patch is quite baked enough to go in even if the deadline hadn't formally passed, but I'm happy to offer a few opinions ... especially if we can also try to sort out a plan for getting that wider-checksums thing you mentioned done for v16. + /* gssencmode is also libpq option, same to above. */ + {"gssencmode", UserMappingRelationId, true}, I really hate names like this that are just a bunch of stuff strung together with no punctuation and some arbitrary abbreviations thrown in for good measure. But since the libpq parameter already exists it's hard to argue we should do anything else here. + <term><literal>allow_cred_delegation</literal></term> First, I again recommend not choosing words at random to abbreviate. "delegate_credentials" would be shorter and clearer. Second, I think we need to decide whether we envision just having one parameter here for every kind of credential delegation that libpq might ever support, or whether this is really something specific to GSS. If the latter, the name should mention GSS. I also suggest that the default value of this option should be false, rather than true. I would be unhappy if ssh started defaulting to ForwardAgent=yes, because that's less secure and I don't want my credentials shared with random servers without me making a choice to do that. Similarly here I think we should default to the more secure option. + <listitem> + <para> + Sets the location of the Kerberos credential cache to be used for + regular user backends which go through authentication. The default is + <filename>MEMORY:</filename>, which is where delegated credentials + are stored (and is otherwise empty). Care should be used when changing + this value- setting it to a file-based credential cache will mean that + user backends could potentially use any credentials stored to access + other systems. + If this parameter is set to an empty string, then the variable will be + explicit un-set and the system-dependent default is used, which may be a + file-based credential cache with the same caveats as previously + mentioned. If the special value 'environment' is used, then the variable + is left untouched and will be whatever was set in the environment at + startup time. "MEMORY:" seems like a pretty weird choice of arbitrary string. Is it supposed to look like a Windows drive letter or pseudo-device, or what? I'm not sure exactly what's better here, but I just think this doesn't look like anything else we've got today. And then we've got a second special environment, "environment", which looks completely different: now it's lower-case and without the colon. And then empty string is special too. I wonder whether we really quite this many cases. But if we do they probably need better and more consistent naming. The formatting here also looks weird. +#ifndef PG_KRB_USER_CCACHE +#define PG_KRB_USER_CCACHE "MEMORY:" +#endif At the risk of stating the obvious, the general idea of a #define is that you define things in one place and then use the defined symbol rather than the original value everywhere. This patch takes the less-useful approach of defining two different symbols for the same string in different files. This one has this #ifndef/#endif guard here which I think it probably shouldn't, since the choice of string probably shouldn't be compile-time configurable, but it also won't work, because there's no similar guard in the other file. -- Robert Haas EDB: http://www.enterprisedb.com
pgsql-hackers by date: