Postgres Pro
Downloads
Home   >   mailing lists

Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange - Mailing list pgsql-hackers

From Álvaro Hernández Tortosa
Subject Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange
Date
Msg-id fc08417a-408c-6b5e-a502-846564fcff06@8kdata.com
Whole thread Raw
In response to Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange  (Heikki Linnakangas <hlinnaka@iki.fi>)
Responses Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange  (Michael Paquier <michael.paquier@gmail.com>)
List pgsql-hackers
Tree view 

On 12/04/17 19:34, Heikki Linnakangas wrote:
> On 04/11/2017 02:32 PM, Álvaro Hernández Tortosa wrote:
>>      So I still see your proposal more awkward and less clear, mixing
>> things that are separate. But again, your choice  :)
>
> So, here's my more full-fledged proposal.
>
> The first patch refactors libpq code, by moving the responsibility of 
> reading the GSS/SSPI/SASL/MD5 specific data from the authentication 
> request packet, from the enormous switch-case construct in 
> PQConnectPoll(), into pg_fe_sendauth(). This isn't strictly necessary, 
> but I think it's useful cleanup anyway, and now that there's a bit 
> more structure in the AuthenticationSASL message, the old way was 
> getting awkward.
>
> The second patch contains the protocol changes, and adds the 
> documentation for it.
>
> - Heikki
>
    Hi Heikki.
    Thanks for the patches :)
    By looking at the them, and unless I'm missing something, I don't 
see how the extra information for the future implementation of channel 
binding would be added (without changing the protocol). Relevant part is:

The message body is a list of SASL authentication mechanisms, in the
server's order of preference. A zero byte is required as terminator after
the last authentication mechanism name. For each mechanism, there is the
following:
<variablelist>
<varlistentry>
<term>        String
</term>
<listitem>
<para>                Name of a SASL authentication mechanism.
</para>
</listitem>
</varlistentry>
</variablelist>

    How do you plan to implement it, in future versions, without 
modifying the AuthenticationSASL message? Or is it OK to add new fields 
to a message in future PostgreSQL versions, without considering that a 
protocol change?
    On a side note, I'd mention that the list of SASL authentication 
mechanisms contains valid IANA Registry SCRAM names 
(https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml#scram)for 
SCRAM authentication messages (making it more clear what values would be 
expected there from the client).
    I hope to start testing this from Java the coming weekend. I will 
keep you posted.

    Álvaro


-- 

Álvaro Hernández Tortosa


-----------
<8K>data

pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: [HACKERS] pg_dump emits ALTER TABLE ONLY partitioned_table
Next
From: Peter Eisentraut
Date:
Subject: Re: [HACKERS] pg_upgrade vs extension upgrades