Re: Log message for GSS connection is missing once connection authorization is successful. - Mailing list pgsql-hackers

Thanks for the comments Bharath.

On Thu, Oct 29, 2020 at 12:15 PM Bharath Rupireddy
<bharath.rupireddyforpostgres@gmail.com> wrote:
> 1. Instead of just "on/off" after GSS %s in the log message, wouldn't it be informative if we have authenticated
and/orencrypted as suggested by Stephen? 
>
> So the log message would look like this:
>
> if(be_gssapi_get_auth(port))
> replication connection authorized: user=bob application_name=foo GSS authenticated (principal=bar)
>
> if(be_gssapi_get_enc(port))
> replication connection authorized: user=bob application_name=foo GSS encrypted (principal=bar)
>
> if(be_gssapi_get_auth(port) && be_gssapi_get_enc(port))
> replication connection authorized: user=bob application_name=foo GSS authenticated and encrypted (principal=bar)
>
> +#ifdef ENABLE_GSS
> +            if (be_gssapi_get_auth(port) || be_gssapi_get_princ(port))
> +                ereport(LOG,
> +                        (port->application_name != NULL
> +                         ? errmsg("replication connection authorized: user=%s application_name=%s GSS %s
(principal=%s)",
> +                                  port->user_name,
> +                                  port->application_name,
> +                                  be_gssapi_get_auth(port) || be_gssapi_get_enc(port) ? _("on") : _("off"),
> +                                  be_gssapi_get_princ(port))
> +                         : errmsg("replication connection authorized: user=%s GSS %s (principal=%s)",
> +                                  port->user_name,
> +                                  be_gssapi_get_auth(port) || be_gssapi_get_enc(port) ? _("on") : _("off"),
> +                                  be_gssapi_get_princ(port))));
> +            else
>

This is handled in v3 patch posted at [1].

> 2. I think the log message preparation looks a bit clumsy with ternary operators and duplicate log message texts(I
knowthat we already do this for SSL). Can we have the log message prepared using StringInfoData data structure/APIs and
usejust a single ereport? This way, that part of the code looks cleaner. 
>
> Here's what I'm visualizing:
>
> if (Log_connections)
> {
> StringInfoData msg;
>
> if (am_walsender)
> append("replication connection authorized: user=%s");
> else
> append("connection authorized: user=%s database=%s");
>
> if (port->application_name)
> append("application_name=%s");
>
> #ifdef USE_SSL
> if (port->ssl_in_use)
> append("SSL enabled (protocol=%s, cipher=%s, bits=%d, compression=%s");
> #elif defined(ENABLE_GSS)
>         blah,blah,blah
> #endif
>
> ereport (LOG, msg.data);
> }

This is handled in the v3 patch posted.

>
> 3. +            if (be_gssapi_get_auth(port) || be_gssapi_get_princ(port))
>
> If be_gssapi_get_auth(port) returns false, I think there's no way that be_gssapi_get_princ(port) would return a non
nullvalue, see the comment. The function be_gssapi_get_princ() returns NULL if the auth is false, so the check if (
be_gssapi_get_princ(port))would suffice. 
>
> gss_name_t    name;            /* GSSAPI client name */
>     char       *princ;            /* GSSAPI Principal used for auth, NULL if
>                                  * GSSAPI auth was not used */
>     bool        auth;            /* GSSAPI Authentication used */
>     bool        enc;            /* GSSAPI encryption in use */
>

This is handled in the v3 patch posted.


Regards,
Vignesh
EnterpriseDB: http://www.enterprisedb.com