Alvaro Herrera <alvherre@2ndquadrant.com> writes:
> How about this?
>
> * If GSSAPI is enabled and we can reach a credential cache,
> * set up a handle for it; if it's operating, just send a
> * GSS startup message, instead of the SSL negotiation and
> * regular startup message below.
Due to the way postgres handled this historically, there are two ways
GSSAPI can be used: for connection encryption, and for authentication
only. We perform the same dance of sending a "request packet" for
GSSAPI encryption as we do for TLS encryption. So I'd like us to be
precise about which one we're talking about here (encryption).
The GSSAPI idiom I should have used is "can acquire credentials" (i.e.,
instead of "can reach a credential cache" in your proposal).
There's no such thing as a "GSS startup message". After negotiating
GSSAPI/TLS encryption (or failing to do so), we send the same things in
all cases, which includes negotiation of authentication mechanism if
any. (Negotiating GSSAPI for authentication after negotiating GSSAPI
for encryption will short-circuit rather than establishing a second
context, if I remember right.)
I wonder if part of the confusion might be due to the synonyms we're
using here for "in use". Things seem to be "got running", "set up",
"operating", "negotiated", ... - maybe that's part of the barrier to
understanding?
Thanks,
--Robbie
