Thread: longfin missing gssapi_ext.h

longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

Looks like longfin has a particularly old Kerberos/GSSAPI installation
on it which pre-dates MIT release 1.11 from circa 2012 and is missing
gssapi_ext.h, causing the recently committed patch to add Kerberos
credential delegation to fail to build.

I'm inclined to update our configure check to explicitly check for the
needed function (gss_store_cred_into) as no one should really be running
with such an out-dated (over a decade old...) version of MIT Kerberos.

Thoughts?

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> Looks like longfin has a particularly old Kerberos/GSSAPI installation
> on it

It's whatever Apple is shipping, or was shipping last year or so.

> I'm inclined to update our configure check to explicitly check for the
> needed function (gss_store_cred_into)

Sounds like a possible fix, although I wonder whether you shouldn't
explicitly check for the presence of this header.

            regards, tom lane



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > Looks like longfin has a particularly old Kerberos/GSSAPI installation
> > on it
>
> It's whatever Apple is shipping, or was shipping last year or so.

Sadly they've not been maintaining the Kerberos libraries at all on
their systems.

> > I'm inclined to update our configure check to explicitly check for the
> > needed function (gss_store_cred_into)
>
> Sounds like a possible fix, although I wonder whether you shouldn't
> explicitly check for the presence of this header.

I'm good with either.

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> It's whatever Apple is shipping, or was shipping last year or so.

> Sadly they've not been maintaining the Kerberos libraries at all on
> their systems.

Indeed :-(.  I wouldn't be surprised if there are security issues in
their version.  Perhaps what we really ought to do is refuse to build
with their version --- but if so, we need some clearer error message
about it.

            regards, tom lane



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> >> It's whatever Apple is shipping, or was shipping last year or so.
>
> > Sadly they've not been maintaining the Kerberos libraries at all on
> > their systems.
>
> Indeed :-(.  I wouldn't be surprised if there are security issues in
> their version.  Perhaps what we really ought to do is refuse to build
> with their version --- but if so, we need some clearer error message
> about it.

The attached should (I believe?) at least add the needed check for
gssapi_ext.h which will cause builds to fail and complain about the
header being missing from their installation.

I'm certainly open to ideas about how to provide a better error message,
particularly on OSX systems which have an ancient version, to make it
clear that people need to install an updated version.  I don't have an
OSX system at hand though.

Should I push this to at least address the header check ... ?

Thanks,

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Stephen Frost (sfrost@snowman.net) wrote:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > Stephen Frost <sfrost@snowman.net> writes:
> > > * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > >> It's whatever Apple is shipping, or was shipping last year or so.
> >
> > > Sadly they've not been maintaining the Kerberos libraries at all on
> > > their systems.
> >
> > Indeed :-(.  I wouldn't be surprised if there are security issues in
> > their version.  Perhaps what we really ought to do is refuse to build
> > with their version --- but if so, we need some clearer error message
> > about it.
>
> The attached should (I believe?) at least add the needed check for
> gssapi_ext.h which will cause builds to fail and complain about the
> header being missing from their installation.
>
> I'm certainly open to ideas about how to provide a better error message,
> particularly on OSX systems which have an ancient version, to make it
> clear that people need to install an updated version.  I don't have an
> OSX system at hand though.
>
> Should I push this to at least address the header check ... ?

Looks like buildfarm animal hake, at least, has a version recent enough
to have gssapi_ext.h ... but still older than 1.11 and therefore
doesn't have the type gss_key_value_element_desc defined, so maybe the
check for gss_store_cred_into would be better?

Certainly interesting how many old kerberos library installations there
are, even in our buildfarm..

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> Looks like buildfarm animal hake, at least, has a version recent enough
> to have gssapi_ext.h ... but still older than 1.11 and therefore
> doesn't have the type gss_key_value_element_desc defined, so maybe the
> check for gss_store_cred_into would be better?

Well, now we're getting into value judgements about which gssapi
versions are still worth supporting.  Are you really willing to toss
overboard all versions that don't support gss_store_cred_into?  Or
should credential delegation be viewed as an incremental feature that
we can support or not?

TBH, committing things with significant portability hazards ten hours
before feature freeze is not high on my list of good development
practices.

            regards, tom lane



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > Looks like buildfarm animal hake, at least, has a version recent enough
> > to have gssapi_ext.h ... but still older than 1.11 and therefore
> > doesn't have the type gss_key_value_element_desc defined, so maybe the
> > check for gss_store_cred_into would be better?
>
> Well, now we're getting into value judgements about which gssapi
> versions are still worth supporting.  Are you really willing to toss
> overboard all versions that don't support gss_store_cred_into?  Or
> should credential delegation be viewed as an incremental feature that
> we can support or not?

I'm open to considering support for older versions, however ...

> TBH, committing things with significant portability hazards ten hours
> before feature freeze is not high on my list of good development
> practices.

but as pointed out, these APIs are all over a decade old and systems
which don't support them have a pretty high risk of having security
issues due to shipping these out-dated libraries.

I agree it's a value judgement and something to consider but I don't see
Apple changing their mind any time soon on actually updating the
Kerberos version they ship and no one should really be using what they
do ship.  The same is true for any other system that's shipping a
version of a core security library that's not been updated in over a
decade.

We are currently requiring at least OpenSSL 1.0.1 which was released in
2012.  Having a similar requirement for MIT Kerberos, for our release of
PG in 2023, doesn't strike me as unreasonable.

Attached is a more fully-formed patch with a regenerated configure that
adds in a check for gssapi_ext.h and updates the function check to look
for gss_store_cred_into().

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> I'm open to considering support for older versions, however ...

NetBSD 9.3, which is their *latest production release*, doesn't have
gssapi_ext.h [1].  For that matter, it doesn't look like their
not-yet-released 10.0BETA does either (my NetBSD 10 animals would
be failing if they had --with-gssapi).  I do not think it's going
to be acceptable to require this feature.

I'm now going to reiterate my opinion that this patch should not
have been pushed in at this point of the dev cycle.  A month ago,
there was time to deal with these sorts of issues.

            regards, tom lane

[1] https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=sidewinder&dt=2023-04-08%2002%3A38%3A31



Re: longfin missing gssapi_ext.h

From
Andres Freund
Date:
Hi,

On 2023-04-07 22:50:18 -0400, Tom Lane wrote:
> Or should credential delegation be viewed as an incremental feature that we
> can support or not?

That seems like the best way forward here.

Greetings,

Andres Freund



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > I'm open to considering support for older versions, however ...
>
> NetBSD 9.3, which is their *latest production release*, doesn't have
> gssapi_ext.h [1].  For that matter, it doesn't look like their
> not-yet-released 10.0BETA does either (my NetBSD 10 animals would
> be failing if they had --with-gssapi).  I do not think it's going
> to be acceptable to require this feature.

I'm certainly curious to understand what Kerberos library they're using
and how they're maintaining it.  At least some of the documentation I've
found seems to indicate that it might be Heimdal, which does have
gss_store_cred_into in gssapi.h.

> I'm now going to reiterate my opinion that this patch should not
> have been pushed in at this point of the dev cycle.  A month ago,
> there was time to deal with these sorts of issues.

I suspected there would be an issue with OSX but hadn't expected an
issue with NetBSD.  I had tested this across a few Linux platforms and
cfbot showed it wasn't causing issues on Windows or the platforms that
are run there.  Would be really great to have a way to test these things
out on these other platforms other than just committing them and seeing
what happens on the buildfarm.

In any case, I've reverted it and we can pick this up for the next
cycle.  I'll play around with Heimdal locally as it appears to be
available on Ubuntu (I had actually thought Heimdal to be mostly gone at
this point since it only ever existed really due to silly export
restrictions...) and see if there's actually anything other than making
gssapi_ext.h itself be optional to be pulled in that's needed to make it
work.

Thanks,

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Andres Freund (andres@anarazel.de) wrote:
> On 2023-04-07 22:50:18 -0400, Tom Lane wrote:
> > Or should credential delegation be viewed as an incremental feature that we
> > can support or not?
>
> That seems like the best way forward here.

Yeah, that's certainly doable too, though I'm really not sure we should
be accepting OSX's GSSAPI library and that might really be the only case
at issue here.  Either way, I've reverted it and will see about picking
it up for the next cycle (again) and hopefully be able to work through
these issues either by having it be optional or, if NetBSD and Heimdal
actually support all the APIs just with different headers, perhaps
deciding we're willing to require them.

Thanks,

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> I suspected there would be an issue with OSX but hadn't expected an
> issue with NetBSD.  I had tested this across a few Linux platforms and
> cfbot showed it wasn't causing issues on Windows or the platforms that
> are run there.  Would be really great to have a way to test these things
> out on these other platforms other than just committing them and seeing
> what happens on the buildfarm.

I poked around a bit more and found that:

* NetBSD's package collection[1] includes both Heimdal and MIT Kerberos
(mit-krb5).  Apparently what's installed on at least some of the buildfarm
animals is the former.

* FreeBSD seems to offer *only* Heimdal [2]; OpenBSD ditto [3].

* I cannot find any sign of either gss_store_cred_into or gssapi_ext.h
in FreeBSD's Heimdal (7.8.0_6).

So it does not look like supporting Heimdal is going to be optional,
and that means the credential delegation feature is going to have
to be optional, or else we need to find some equivalent Heimdal APIs.

I share your feeling that we could probably blow off Apple's built-in
GSSAPI.  MacPorts offers both Heimdal and kerberos5, and I imagine
Homebrew has at least one of them, so Mac people could easily get
hold of newer implementations.  But the BSDen are going to be a
problem.

            regards, tom lane

[1] https://cdn.netbsd.org/pub/pkgsrc/current/pkgsrc/security/index.html
[2] https://ports.freebsd.org/cgi/ports.cgi?query=kerberos&stype=all&sektion=all
[3] https://cdn.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > I suspected there would be an issue with OSX but hadn't expected an
> > issue with NetBSD.  I had tested this across a few Linux platforms and
> > cfbot showed it wasn't causing issues on Windows or the platforms that
> > are run there.  Would be really great to have a way to test these things
> > out on these other platforms other than just committing them and seeing
> > what happens on the buildfarm.
>
> I poked around a bit more and found that:
>
> * NetBSD's package collection[1] includes both Heimdal and MIT Kerberos
> (mit-krb5).  Apparently what's installed on at least some of the buildfarm
> animals is the former.
>
> * FreeBSD seems to offer *only* Heimdal [2]; OpenBSD ditto [3].
>
> * I cannot find any sign of either gss_store_cred_into or gssapi_ext.h
> in FreeBSD's Heimdal (7.8.0_6).
>
> So it does not look like supporting Heimdal is going to be optional,
> and that means the credential delegation feature is going to have
> to be optional, or else we need to find some equivalent Heimdal APIs.

Thanks for doing that digging!

I've been looking too and while Heimdal added gss_store_cred_into in
their development branch 5 years ago[1] (!), it's not made it into an
actual release.  Good that they seem to at least be maintaining it
enough to deal with CVEs, but unfortunately I'm fairly confident that
there won't be a way to support constrained delegation (which is the
next goal, once unconstrained delegation is in and working) on the
Heimdal platforms.  I suspected that would have to be optional anyway,
but I hadn't expected it to hit all the BSD platforms.

In any case, for this I'm working switching over to gss_store_cred()
which does seem to be available in the Heimdal Debian packages that I
was able to install locally (looks to be 7.7.0) and should work just
fine for these purposes, though it requires a bit more work on the
libpq side as we need to tell libpq explicitly the name which was on
the delegated credential when we call gss_acquire_cred().

Once that's done, should be able to drop the gssapi_ext.h include
entirely and still have the test suite able to run with MIT Kerberos.

One thing I'm on the fence about is trying to make the test suite
actually work with Heimdal..  I'm planning to install the Heimdal KDC,
et al, and see what happens but if it ends up looking like it's a lot of
work then I might forgo that effort.  I'm not sure it's really necessary
but I could be argued out of that position without too much effort.  The
stated Heimdal goal is to be a re-implementation of MIT Kerberos and
these are all documented APIs with RFCs, after all.

> I share your feeling that we could probably blow off Apple's built-in
> GSSAPI.  MacPorts offers both Heimdal and kerberos5, and I imagine
> Homebrew has at least one of them, so Mac people could easily get
> hold of newer implementations.  But the BSDen are going to be a
> problem.

Yeah.  Unfortunate that Heimdal doesn't seem to really be moving forward
in terms of new development.

Thanks,

Stephen

[1] https://github.com/heimdal/heimdal/commit/e0bb9c10cad0fd98245caecf8af8fca855b2df49

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
I wrote:
> * NetBSD's package collection[1] includes both Heimdal and MIT Kerberos
> (mit-krb5).  Apparently what's installed on at least some of the buildfarm
> animals is the former.

Oh!  New data: the core NetBSD OS includes a copy of Heimdal (looks
to be 7.7.0 in the 10.0_BETA sources).  The installable package is
a slightly newer version, 7.8.0, but I think it's a very solid bet
that the relevant buildfarm animals are just using the core copy
and haven't installed the add-on package.  Even if they had, it
would take some fooling around with include and link paths to pull
in the packaged version rather than the built-in one.

The exact same thing applies to FreeBSD, except that their in-core
Heimdal is ancient (1.5.2).  Also, they do have MIT Kerberos
available as a package [1].  I'd been misled by the lack of a hit
on "kerberos", but "krb5" finds it.  Our code does compile against
that version of Heimdal, but src/test/kerberos/ refuses to try to
run.

I've not dug into OpenBSD any further.

            regards, tom lane

[1] https://ports.freebsd.org/cgi/ports.cgi?query=krb5&stype=all&sektion=all



Re: longfin missing gssapi_ext.h

From
Thomas Munro
Date:
On Sun, Apr 9, 2023 at 6:40 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> The exact same thing applies to FreeBSD, except that their in-core
> Heimdal is ancient (1.5.2).  Also, they do have MIT Kerberos
> available as a package [1].  I'd been misled by the lack of a hit
> on "kerberos", but "krb5" finds it.  Our code does compile against
> that version of Heimdal, but src/test/kerberos/ refuses to try to
> run.

FWIW my FBSD animal elver has krb5 installed.  Sorry it wasn't running
when the relevant commit landed.  Stupid network cable wriggled out.



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Thomas Munro (thomas.munro@gmail.com) wrote:
> On Sun, Apr 9, 2023 at 6:40 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > The exact same thing applies to FreeBSD, except that their in-core
> > Heimdal is ancient (1.5.2).  Also, they do have MIT Kerberos
> > available as a package [1].  I'd been misled by the lack of a hit
> > on "kerberos", but "krb5" finds it.  Our code does compile against
> > that version of Heimdal, but src/test/kerberos/ refuses to try to
> > run.
>
> FWIW my FBSD animal elver has krb5 installed.  Sorry it wasn't running
> when the relevant commit landed.  Stupid network cable wriggled out.

Yeah, I wouldn't be the least bit surprised if many folks running
FreeBSD with any interest in Kerberos have MIT Kerberos installed given
that Heimdal doesn't seem to be under any kind of ongoing active
development and is just in this maintenance mode.

Have you tried running the tests in src/test/kerberos with elver?  Or is
it configured to run them?  Would be awesome if it could be, or if
there's issues with running the tests on FBSD w/ MIT Kerberos, I'd be
happy to try and help work through them.

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> Yeah, I wouldn't be the least bit surprised if many folks running
> FreeBSD with any interest in Kerberos have MIT Kerberos installed given
> that Heimdal doesn't seem to be under any kind of ongoing active
> development and is just in this maintenance mode.

Yeah, that's a pretty scary situation for security-critical software.
Maybe we should just desupport Heimdal, rather than investing effort
to the contrary?

Also, the core-code versions of Heimdal in these BSDen are even scarier
than the upstream releases, so I'm thinking that the fact that we
currently compile against them is more a net negative than a positive.
(Same logic as for macOS, really.)

IOW, maybe it'd be okay to de-revert 3d4fa227b and add documentation
saying that --with-gssapi requires MIT Kerberos not Heimdal.

            regards, tom lane



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > Yeah, I wouldn't be the least bit surprised if many folks running
> > FreeBSD with any interest in Kerberos have MIT Kerberos installed given
> > that Heimdal doesn't seem to be under any kind of ongoing active
> > development and is just in this maintenance mode.
>
> Yeah, that's a pretty scary situation for security-critical software.

Agreed.

> Maybe we should just desupport Heimdal, rather than investing effort
> to the contrary?

As this is for a new major PG release, I'd be in support of that.  I
would like to get the kerberos tests working on a FreeBSD buildfarm
animal with MIT Kerberos installed, if possible.

> Also, the core-code versions of Heimdal in these BSDen are even scarier
> than the upstream releases, so I'm thinking that the fact that we
> currently compile against them is more a net negative than a positive.
> (Same logic as for macOS, really.)

Agreed.  Still, I wouldn't go and break it for minor releases, but for a
new major version saying we no longer support Heimdal seems reasonable.
Then folks have the usual 5-ish years (if they want to delay as long as
possible) to move to MIT Kerberos.

> IOW, maybe it'd be okay to de-revert 3d4fa227b and add documentation
> saying that --with-gssapi requires MIT Kerberos not Heimdal.

I'd be happy with that and can add the appropriate documentation noting
that we require MIT Kerberos.  Presumably the appropriate step at this
point would be to check with the RMT?

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> IOW, maybe it'd be okay to de-revert 3d4fa227b and add documentation
>> saying that --with-gssapi requires MIT Kerberos not Heimdal.

> I'd be happy with that and can add the appropriate documentation noting
> that we require MIT Kerberos.  Presumably the appropriate step at this
> point would be to check with the RMT?

Yeah, RMT would have final say at this stage.

If you pull the trigger, a note to buildfarm-members would be
appropriate too, so people will know if they need to remove
--with-gssapi from animal configurations.

            regards, tom lane



Re: longfin missing gssapi_ext.h

From
"Jonathan S. Katz"
Date:
On 4/10/23 11:37 AM, Tom Lane wrote:
> Stephen Frost <sfrost@snowman.net> writes:
>> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>>> IOW, maybe it'd be okay to de-revert 3d4fa227b and add documentation
>>> saying that --with-gssapi requires MIT Kerberos not Heimdal.
> 
>> I'd be happy with that and can add the appropriate documentation noting
>> that we require MIT Kerberos.  Presumably the appropriate step at this
>> point would be to check with the RMT?
> 
> Yeah, RMT would have final say at this stage.
> 
> If you pull the trigger, a note to buildfarm-members would be
> appropriate too, so people will know if they need to remove
> --with-gssapi from animal configurations.

The RMT discussed this thread and agrees to a "de-revert" of the "Add 
support for Kerberos delegation" patch, provided that:

1. The appropriate documentation is added AND
2. The de-revert occurs no later than 2023-04-15 (upper bound 2023-04-16 
0:00 AoE).

There's an open item[1] for this task.

Thanks,

Jonathan

[1] https://wiki.postgresql.org/wiki/PostgreSQL_16_Open_Items#Open_Issues


Attachment

Re: longfin missing gssapi_ext.h

From
Thomas Munro
Date:
On Tue, Apr 11, 2023 at 2:31 AM Stephen Frost <sfrost@snowman.net> wrote:
> Have you tried running the tests in src/test/kerberos with elver?  Or is
> it configured to run them?  Would be awesome if it could be, or if
> there's issues with running the tests on FBSD w/ MIT Kerberos, I'd be
> happy to try and help work through them.

I'm also happy to test/help/improve the animal/teach CI to do
it/whatever.  I've made a note to test out the reverted commit later
today when I'll be in front of the right computers.



Re: longfin missing gssapi_ext.h

From
Thomas Munro
Date:
On Tue, Apr 11, 2023 at 2:53 PM Thomas Munro <thomas.munro@gmail.com> wrote:
> On Tue, Apr 11, 2023 at 2:31 AM Stephen Frost <sfrost@snowman.net> wrote:
> > Have you tried running the tests in src/test/kerberos with elver?  Or is
> > it configured to run them?  Would be awesome if it could be, or if
> > there's issues with running the tests on FBSD w/ MIT Kerberos, I'd be
> > happy to try and help work through them.

Oh, the FreeBSD CI already runs the kerberos test and it uses the krb5
package, because the image it uses installs that[1] and at least the
Meson build automatically prefers that over Heimdal.  So the CI in the
postgres/postgres account tested it[2] as soon as you committed, and
cfbot was testing all along in the commitfest.  It's not skipped and
that test would clearly BAIL_OUT if it detected Heimdal.  Is that good
enough?

I have OpenBSD and NetBSD vagrant images around, do you want me to
test those too?

As for elver, I remembered an unfortunate detail: it doesn't currently
have kerberos enabled in PG_TEXT_EXTRA, because it the test depends on
localhost being 127.0.0.1 which isn't quite true on this box
(container tech with an unusual network stack, long boring story) and
I hadn't got around to figuring out what to do about that.  I can look
into it if you want, or perhaps you are satisfied with CI proving that
FreeBSD likes your patch.

[1] https://github.com/anarazel/pg-vm-images/blob/main/packer/freebsd.pkr.hcl
[2] https://cirrus-ci.com/task/6378179762323456?logs=test_world#L43



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Jonathan S. Katz (jkatz@postgresql.org) wrote:
> On 4/10/23 11:37 AM, Tom Lane wrote:
> > Stephen Frost <sfrost@snowman.net> writes:
> > > * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > > > IOW, maybe it'd be okay to de-revert 3d4fa227b and add documentation
> > > > saying that --with-gssapi requires MIT Kerberos not Heimdal.
> >
> > > I'd be happy with that and can add the appropriate documentation noting
> > > that we require MIT Kerberos.  Presumably the appropriate step at this
> > > point would be to check with the RMT?
> >
> > Yeah, RMT would have final say at this stage.
> >
> > If you pull the trigger, a note to buildfarm-members would be
> > appropriate too, so people will know if they need to remove
> > --with-gssapi from animal configurations.
>
> The RMT discussed this thread and agrees to a "de-revert" of the "Add
> support for Kerberos delegation" patch, provided that:
>
> 1. The appropriate documentation is added AND
> 2. The de-revert occurs no later than 2023-04-15 (upper bound 2023-04-16
> 0:00 AoE).
>
> There's an open item[1] for this task.

Understood.  Please find attached the updated patch with changes to the
commit message to indicate that we now require MIT Kerberos, an
additional explicit check for gssapi_ext.h in configure.ac/configure,
along with updated documentation explicitly saying we require MIT
Kerberos for GSSAPI support.

I'll plan to push this tomorrow.

Of course, suggestions/improvements on documentation or anything else
always welcome.

Thanks all!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Justin Pryzby
Date:
>  configure                                     |  27 ++
>  configure.ac                                  |   2 +

Does meson.build need the corresponding change ?



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Justin Pryzby (pryzby@telsasoft.com) wrote:
> >  configure                                     |  27 ++
> >  configure.ac                                  |   2 +
>
> Does meson.build need the corresponding change ?

Ah, yes, presumably.

Something like the attached?

Thanks,

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Stephen Frost (sfrost@snowman.net) wrote:
> Greetings,
>
> * Justin Pryzby (pryzby@telsasoft.com) wrote:
> > >  configure                                     |  27 ++
> > >  configure.ac                                  |   2 +
> >
> > Does meson.build need the corresponding change ?
>
> Ah, yes, presumably.

No, more like attached actually.  Picks up on the dependency properly
with this when I ran meson/ninja, at least.

I'll include this then (along with any other suggestions, of course).

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> Understood.  Please find attached the updated patch with changes to the
> commit message to indicate that we now require MIT Kerberos, an
> additional explicit check for gssapi_ext.h in configure.ac/configure,
> along with updated documentation explicitly saying we require MIT
> Kerberos for GSSAPI support.

Um ... could you package this as a straight un-revert of the
previous commit, then a delta patch?  Would be easier to review.

            regards, tom lane



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > Understood.  Please find attached the updated patch with changes to the
> > commit message to indicate that we now require MIT Kerberos, an
> > additional explicit check for gssapi_ext.h in configure.ac/configure,
> > along with updated documentation explicitly saying we require MIT
> > Kerberos for GSSAPI support.
>
> Um ... could you package this as a straight un-revert of the
> previous commit, then a delta patch?  Would be easier to review.

Sure, reworked that way and attached.

Thanks,

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
"Jonathan S. Katz"
Date:
On 4/12/23 10:33 AM, Stephen Frost wrote:
> Greetings,
> 
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> Stephen Frost <sfrost@snowman.net> writes:
>>> Understood.  Please find attached the updated patch with changes to the
>>> commit message to indicate that we now require MIT Kerberos, an
>>> additional explicit check for gssapi_ext.h in configure.ac/configure,
>>> along with updated documentation explicitly saying we require MIT
>>> Kerberos for GSSAPI support.
>>
>> Um ... could you package this as a straight un-revert of the
>> previous commit, then a delta patch?  Would be easier to review.
> 
> Sure, reworked that way and attached.

Docs read well. A few questions/commenets:

* On [1] -- do we want to add a note that it's not just Kerberos, but 
MIT Kerberos?

* On [2] -- we mention "kadmin tool of MIT-compatible Kerberos 5" which 
is AIUI is still technically correct, but do we want to drop the 
"-compatible?" (precedent in [3])

Thanks,

Jonathan

[1] https://www.postgresql.org/docs/devel/install-requirements.html
[2] https://www.postgresql.org/docs/devel/gssapi-auth.html
[3] https://www.postgresql.org/docs/devel/regress-run.html

Attachment

Re: longfin missing gssapi_ext.h

From
Daniel Gustafsson
Date:
> On 12 Apr 2023, at 16:33, Stephen Frost <sfrost@snowman.net> wrote:

> Sure, reworked that way and attached.

While not changed in this hunk, does the comment regarding Heimdal still apply?

@@ -918,6 +919,7 @@ pg_GSS_recvauth(Port *port)
     int            mtype;
     StringInfoData buf;
     gss_buffer_desc gbuf;
+    gss_cred_id_t delegated_creds;

     /*
      * Use the configured keytab, if there is one.  Unfortunately, Heimdal

--
Daniel Gustafsson




Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Jonathan S. Katz (jkatz@postgresql.org) wrote:
> On 4/12/23 10:33 AM, Stephen Frost wrote:
> > * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > > Stephen Frost <sfrost@snowman.net> writes:
> > > > Understood.  Please find attached the updated patch with changes to the
> > > > commit message to indicate that we now require MIT Kerberos, an
> > > > additional explicit check for gssapi_ext.h in configure.ac/configure,
> > > > along with updated documentation explicitly saying we require MIT
> > > > Kerberos for GSSAPI support.
> > >
> > > Um ... could you package this as a straight un-revert of the
> > > previous commit, then a delta patch?  Would be easier to review.
> >
> > Sure, reworked that way and attached.
>
> Docs read well. A few questions/commenets:
>
> * On [1] -- do we want to add a note that it's not just Kerberos, but MIT
> Kerberos?

Yes, makes sense, updated.

> * On [2] -- we mention "kadmin tool of MIT-compatible Kerberos 5" which is
> AIUI is still technically correct, but do we want to drop the "-compatible?"
> (precedent in [3])

Yup, cleaned that up also.

Updated patch set attached.

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
"Jonathan S. Katz"
Date:
On 4/12/23 10:47 AM, Stephen Frost wrote:
> Greetings,
> 
> * Jonathan S. Katz (jkatz@postgresql.org) wrote:
>> On 4/12/23 10:33 AM, Stephen Frost wrote:
>>> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>>>> Stephen Frost <sfrost@snowman.net> writes:
>>>>> Understood.  Please find attached the updated patch with changes to the
>>>>> commit message to indicate that we now require MIT Kerberos, an
>>>>> additional explicit check for gssapi_ext.h in configure.ac/configure,
>>>>> along with updated documentation explicitly saying we require MIT
>>>>> Kerberos for GSSAPI support.
>>>>
>>>> Um ... could you package this as a straight un-revert of the
>>>> previous commit, then a delta patch?  Would be easier to review.
>>>
>>> Sure, reworked that way and attached.
>>
>> Docs read well. A few questions/commenets:
>>
>> * On [1] -- do we want to add a note that it's not just Kerberos, but MIT
>> Kerberos?
> 
> Yes, makes sense, updated.
> 
>> * On [2] -- we mention "kadmin tool of MIT-compatible Kerberos 5" which is
>> AIUI is still technically correct, but do we want to drop the "-compatible?"
>> (precedent in [3])
> 
> Yup, cleaned that up also.
> 
> Updated patch set attached.

Thanks! I'll sign off on the docs portion.

The meson build code looks good to me (I just compared it to what 
already exists). Similar comment to the autoconf code.

Thanks,

Jonathan

Attachment

Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Daniel Gustafsson (daniel@yesql.se) wrote:
> > On 12 Apr 2023, at 16:33, Stephen Frost <sfrost@snowman.net> wrote:
> > Sure, reworked that way and attached.
>
> While not changed in this hunk, does the comment regarding Heimdal still apply?
>
> @@ -918,6 +919,7 @@ pg_GSS_recvauth(Port *port)
>      int            mtype;
>      StringInfoData buf;
>      gss_buffer_desc gbuf;
> +    gss_cred_id_t delegated_creds;
>
>      /*
>       * Use the configured keytab, if there is one.  Unfortunately, Heimdal

Good catch.  No, it doesn't.  I'm not anxious to actually change that
code at this point but we could certainly consider changing it in the
future.  I'll update this comment (and the identical one in
secure_open_gssapi) accordingly.

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> Updated patch set attached.

LGTM

            regards, tom lane



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > Updated patch set attached.
>
> LGTM

Great, thanks.

I cleaned up the commit messages a bit more and added links to the
discussion.  If there isn't anything more then I'll plan to push these
later today or tomorrow.

Thanks again!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Daniel Gustafsson
Date:
> On 12 Apr 2023, at 16:55, Stephen Frost <sfrost@snowman.net> wrote:
>
> Greetings,
>
> * Daniel Gustafsson (daniel@yesql.se) wrote:
>>> On 12 Apr 2023, at 16:33, Stephen Frost <sfrost@snowman.net> wrote:
>>> Sure, reworked that way and attached.
>>
>> While not changed in this hunk, does the comment regarding Heimdal still apply?
>>
>> @@ -918,6 +919,7 @@ pg_GSS_recvauth(Port *port)
>>     int            mtype;
>>     StringInfoData buf;
>>     gss_buffer_desc gbuf;
>> +    gss_cred_id_t delegated_creds;
>>
>>     /*
>>      * Use the configured keytab, if there is one.  Unfortunately, Heimdal
>
> Good catch.  No, it doesn't.  I'm not anxious to actually change that
> code at this point but we could certainly consider changing it in the
> future.  I'll update this comment (and the identical one in
> secure_open_gssapi) accordingly.

Sounds like a good plan.

--
Daniel Gustafsson




Re: longfin missing gssapi_ext.h

From
"Jonathan S. Katz"
Date:
On 4/12/23 12:22 PM, Stephen Frost wrote:
> Greetings,
> 
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> Stephen Frost <sfrost@snowman.net> writes:
>>> Updated patch set attached.
>>
>> LGTM
> 
> Great, thanks.
> 
> I cleaned up the commit messages a bit more and added links to the
> discussion.  If there isn't anything more then I'll plan to push these
> later today or tomorrow.

Great -- thanks for your attention to this. I'm glad we have an 
opportunity to de-revert (devert?).

Jonathan


Attachment

Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Jonathan S. Katz (jkatz@postgresql.org) wrote:
> On 4/12/23 12:22 PM, Stephen Frost wrote:
> > * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > > Stephen Frost <sfrost@snowman.net> writes:
> > > > Updated patch set attached.
> > >
> > > LGTM
> >
> > Great, thanks.
> >
> > I cleaned up the commit messages a bit more and added links to the
> > discussion.  If there isn't anything more then I'll plan to push these
> > later today or tomorrow.
>
> Great -- thanks for your attention to this. I'm glad we have an opportunity
> to de-revert (devert?).

Pushed, thanks again to everyone.

I'll monitor the buildfarm and assuming there isn't anything unexpected
then I'll mark the open item as resolved now.

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> Pushed, thanks again to everyone.
> I'll monitor the buildfarm and assuming there isn't anything unexpected
> then I'll mark the open item as resolved now.

The Debian 7 (Wheezy) members of the buildfarm (lapwing, skate, snapper)
are all getting past the gssapi_ext.h check you added and then failing
like this:

ccache gcc -std=gnu99 -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Werror=vla
-Wendif-labels-Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fexcess-precision=standard -g
-O2-Werror -I../../../src/include  -DENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS -D_GNU_SOURCE -I/usr/include/libxml2
-I/usr/include/et -c -o be-gssapi-common.o be-gssapi-common.c 
be-gssapi-common.c: In function 'pg_store_delegated_credential':
be-gssapi-common.c:110:2: error: unknown type name 'gss_key_value_element_desc'
be-gssapi-common.c:111:2: error: unknown type name 'gss_key_value_set_desc'
be-gssapi-common.c:113:4: error: request for member 'key' in something not a structure or union
be-gssapi-common.c:114:4: error: request for member 'value' in something not a structure or union
be-gssapi-common.c:115:7: error: request for member 'count' in something not a structure or union
be-gssapi-common.c:116:7: error: request for member 'elements' in something not a structure or union
be-gssapi-common.c:119:2: error: implicit declaration of function 'gss_store_cred_into'
[-Werror=implicit-function-declaration]

Debian 7 has been EOL five years or so, so I don't mind saying "get a
newer OS or disable gssapi".  However, is it worth adding another
configure check to fail a little faster with whatever Kerberos
version this is?  Checking that gss_store_cred_into() exists
seems like the most obvious one of these things to test for.

            regards, tom lane



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > Pushed, thanks again to everyone.
> > I'll monitor the buildfarm and assuming there isn't anything unexpected
> > then I'll mark the open item as resolved now.
>
> The Debian 7 (Wheezy) members of the buildfarm (lapwing, skate, snapper)
> are all getting past the gssapi_ext.h check you added and then failing
> like this:
>
> ccache gcc -std=gnu99 -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Werror=vla
-Wendif-labels-Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fexcess-precision=standard -g
-O2-Werror -I../../../src/include  -DENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS -D_GNU_SOURCE -I/usr/include/libxml2
-I/usr/include/et -c -o be-gssapi-common.o be-gssapi-common.c 
> be-gssapi-common.c: In function 'pg_store_delegated_credential':
> be-gssapi-common.c:110:2: error: unknown type name 'gss_key_value_element_desc'
> be-gssapi-common.c:111:2: error: unknown type name 'gss_key_value_set_desc'
> be-gssapi-common.c:113:4: error: request for member 'key' in something not a structure or union
> be-gssapi-common.c:114:4: error: request for member 'value' in something not a structure or union
> be-gssapi-common.c:115:7: error: request for member 'count' in something not a structure or union
> be-gssapi-common.c:116:7: error: request for member 'elements' in something not a structure or union
> be-gssapi-common.c:119:2: error: implicit declaration of function 'gss_store_cred_into'
[-Werror=implicit-function-declaration]
>
> Debian 7 has been EOL five years or so, so I don't mind saying "get a
> newer OS or disable gssapi".  However, is it worth adding another
> configure check to fail a little faster with whatever Kerberos
> version this is?  Checking that gss_store_cred_into() exists
> seems like the most obvious one of these things to test for.

Sure, I can certainly do that and agreed that it makes sense to check
for gss_store_cred_into().

How about the attached which just switches from testing for
gss_init_sec_context to testing for gss_store_cred_into?

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> How about the attached which just switches from testing for
> gss_init_sec_context to testing for gss_store_cred_into?

WFM.

            regards, tom lane



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > How about the attached which just switches from testing for
> > gss_init_sec_context to testing for gss_store_cred_into?
>
> WFM.

Done that way.

Thanks!

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> Done that way.

Looks like you neglected to update the configure script proper?

            regards, tom lane



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > Done that way.
>
> Looks like you neglected to update the configure script proper?

Pah, indeed.  Will fix.  Sorry about that.

Thanks,

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Stephen Frost (sfrost@snowman.net) wrote:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> > Stephen Frost <sfrost@snowman.net> writes:
> > > Done that way.
> >
> > Looks like you neglected to update the configure script proper?
>
> Pah, indeed.  Will fix.  Sorry about that.

Fixed.

I'm guessing it's not really an issue but it does make changing
configure a bit annoying on my Ubuntu 22.04, when I run autoconf2.69, I
end up with this additional hunk as changed from what our configure
currently has.

Thoughts?

Thanks,

Stephen

Attachment

Re: longfin missing gssapi_ext.h

From
Tom Lane
Date:
Stephen Frost <sfrost@snowman.net> writes:
> I'm guessing it's not really an issue but it does make changing
> configure a bit annoying on my Ubuntu 22.04, when I run autoconf2.69, I
> end up with this additional hunk as changed from what our configure
> currently has.

Not surprising.  Thanks to autoconf's long release cycles, individual
distros often are carrying local patches that affect its output.
To ensure consistent results across committers, our policy is that you
should use built-from-upstream-source autoconf not a vendor's version.
(In principle that could bite us sometime, but it hasn't yet.)

Also, you should generally run autoheader after autoconf.
Checking things here, I notice that pg_config.h.in hasn't been
updated for the last few gssapi-related commits:

$ git diff
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 3665e79..6d572c3 100644
*** a/src/include/pg_config.h.in
--- b/src/include/pg_config.h.in
***************
*** 196,201 ****
--- 196,207 ----
  /* Define to 1 if you have the `getpeerucred' function. */
  #undef HAVE_GETPEERUCRED
  
+ /* Define to 1 if you have the <gssapi_ext.h> header file. */
+ #undef HAVE_GSSAPI_EXT_H
+ 
+ /* Define to 1 if you have the <gssapi/gssapi_ext.h> header file. */
+ #undef HAVE_GSSAPI_GSSAPI_EXT_H
+ 
  /* Define to 1 if you have the <gssapi/gssapi.h> header file. */
  #undef HAVE_GSSAPI_GSSAPI_H
  
Shall I push that, or do you want to?

            regards, tom lane



Re: longfin missing gssapi_ext.h

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > I'm guessing it's not really an issue but it does make changing
> > configure a bit annoying on my Ubuntu 22.04, when I run autoconf2.69, I
> > end up with this additional hunk as changed from what our configure
> > currently has.
>
> Not surprising.  Thanks to autoconf's long release cycles, individual
> distros often are carrying local patches that affect its output.
> To ensure consistent results across committers, our policy is that you
> should use built-from-upstream-source autoconf not a vendor's version.
> (In principle that could bite us sometime, but it hasn't yet.)

... making me more excited about the idea of getting over to meson.

> Also, you should generally run autoheader after autoconf.
> Checking things here, I notice that pg_config.h.in hasn't been
> updated for the last few gssapi-related commits:
>
> $ git diff
> diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
> index 3665e79..6d572c3 100644
> *** a/src/include/pg_config.h.in
> --- b/src/include/pg_config.h.in
> ***************
> *** 196,201 ****
> --- 196,207 ----
>   /* Define to 1 if you have the `getpeerucred' function. */
>   #undef HAVE_GETPEERUCRED
>
> + /* Define to 1 if you have the <gssapi_ext.h> header file. */
> + #undef HAVE_GSSAPI_EXT_H
> +
> + /* Define to 1 if you have the <gssapi/gssapi_ext.h> header file. */
> + #undef HAVE_GSSAPI_GSSAPI_EXT_H
> +
>   /* Define to 1 if you have the <gssapi/gssapi.h> header file. */
>   #undef HAVE_GSSAPI_GSSAPI_H
>
> Shall I push that, or do you want to?

Hrmpf.  Sorry about that.  Please feel free and thanks for pointing it
out.

Thanks again,

Stephen

Attachment