Re: Log message for GSS connection is missing once connection authorization is successful. - Mailing list pgsql-hackers

From vignesh C
Subject Re: Log message for GSS connection is missing once connection authorization is successful.
Date
Msg-id CALDaNm19ZLhhg1c9VmXjmo1vUOyzZL83BzhSUyrccQJyBvgeuA@mail.gmail.com
Whole thread Raw
In response to Re: Log message for GSS connection is missing once connection authorization is successful.  (Bharath Rupireddy <bharath.rupireddyforpostgres@gmail.com>)
Responses Re: Log message for GSS connection is missing once connection authorization is successful.
List pgsql-hackers
Thanks Bharath for your comments.

On Wed, Oct 28, 2020 at 9:48 AM Bharath Rupireddy
<bharath.rupireddyforpostgres@gmail.com> wrote:
>
> On Wed, Oct 28, 2020 at 8:29 AM vignesh C <vignesh21@gmail.com> wrote:
> >
> > Log message for GSS connection is missing once connection
> > authorization is successful. We have similar log messages for SSL
> > connections once the connection authorization is successful. This
> > message will help the user to identify the connection that was
> > selected from the logfile. I'm not sure if this log message was
> > intentionally left out due to some reason for GSS.
> > If the above analysis looks correct, then please find a patch that
> > adds log for gss connections.
> >
> > Thoughts?
> >
>
> +1 for the idea. This is useful in knowing whether or not the user is
> authenticated using GSS APIs.
>
> Here are few comments on the patch:
>
> 1. How about using(like below) #ifdef, #elif ... #endif directives
> instead of #ifdef, #endif, #ifdef, #endif?
>
> #ifdef USE_SSL
>        blah,blah,blah...
> #elif defined(ENABLE_GSS)
>        blah,blah,blah...
> #else
>        blah,blah,blah...
> #endif
>

I preferred the way it is in the patch to maintain the similar style
that is used in other places like fe-connect.c.

> 2. I think we must use be_gssapi_get_auth(port) instead of
> be_gssapi_get_enc(port) in the if condition, because we log for gss
> authentications irrespective of encoding is enabled or not. Put it
> another way, maybe gss authentications are possible without
> encoding[1]. We can have the information whether the encryption is
> enabled or not in the log message, be_gssapi_get_enc(port) ? _("on") :
> _("off"),.
> #ifdef ENABLE_GSS
>             if (be_gssapi_get_enc(port))
>                 ereport(LOG,
>
> We do not need be_gssapi_get_auth(port) ? _("on") : _("off") this in
> the log message, only in the if condition we need this check.
>
> [1] By looking at the below code it seems that gss authentication
> without encryption is possible.
>     #ifdef ENABLE_GSS
>         port->gss->auth = true;
>         if (port->gss->enc)
>             status = pg_GSS_checkauth(port);
>         else
>         {
>             sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
>             status = pg_GSS_recvauth(port);
>         }

Stephen also shared his thoughts for the above changes, I have
provided an updated patch for the same in the previous mail. Please
have a look and let me know if you have any comments.

Regards,
Vignesh
EnterpriseDB: http://www.enterprisedb.com



pgsql-hackers by date:

Previous
From: "David G. Johnston"
Date:
Subject: Re: A new function to wait for the backend exit after termination
Next
From: Craig Ringer
Date:
Subject: Re: Internal key management system