At 2023-05-20 23:21:57 -0400, t...@sss.pgh.pa.us wrote:
>
> Nathan Bossart <nathandboss...@gmail.com> writes:
> > On Sat, May 20, 2023 at 09:33:44PM -0400, Bruce Momjian wrote:
> >> With less then 48 hours to beta 1 packaging, I have made this change and
> >> adjusted internal variable to match.
>
> > The buildfarm and cfbot seem unhappy with 9c0a0e2. It looks like there are
> > a few remaining uses of gss_accept_deleg to rename. I'm planning to commit
> > the attached patch shortly.
>
> I thought the plan was to also rename the libpq "gssdeleg" connection
> parameter and so on? I can look into that tomorrow, if nobody beats
> me to it.
I was trying the change to see if it would be better to name it
"gssdelegate" instead (as in delegate on one side, and accept the
delegation on the other), but decided that "gssdelegation=enable"
reads better than "gssdelegate=enable".
Here's the diff.
-- Abhijit
diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out
index 826baac9f1..c8c4614b54 100644
--- a/contrib/postgres_fdw/expected/postgres_fdw.out
+++ b/contrib/postgres_fdw/expected/postgres_fdw.out
@@ -172,7 +172,7 @@ ALTER SERVER testserver1 OPTIONS (
--requirepeer 'value',
krbsrvname 'value',
gsslib 'value',
- gssdeleg 'value'
+ gssdelegation 'value'
--replication 'value'
);
-- Error, invalid list syntax
diff --git a/contrib/postgres_fdw/option.c b/contrib/postgres_fdw/option.c
index fe40d50c6d..5c301e0ef3 100644
--- a/contrib/postgres_fdw/option.c
+++ b/contrib/postgres_fdw/option.c
@@ -289,10 +289,10 @@ InitPgFdwOptions(void)
{"sslkey", UserMappingRelationId, true},
/*
- * gssdeleg is also a libpq option but should be allowed in a user
- * mapping context too
+ * gssdelegation is also a libpq option but should be allowed in
+ * a user mapping context too
*/
- {"gssdeleg", UserMappingRelationId, true},
+ {"gssdelegation", UserMappingRelationId, true},
{NULL, InvalidOid, false}
};
diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql
index 15f3af6c29..b54903ad8f 100644
--- a/contrib/postgres_fdw/sql/postgres_fdw.sql
+++ b/contrib/postgres_fdw/sql/postgres_fdw.sql
@@ -186,7 +186,7 @@ ALTER SERVER testserver1 OPTIONS (
--requirepeer 'value',
krbsrvname 'value',
gsslib 'value',
- gssdeleg 'value'
+ gssdelegation 'value'
--replication 'value'
);
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index cce25d06e6..e38a7debc3 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -2054,8 +2054,8 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
</listitem>
</varlistentry>
- <varlistentry id="libpq-connect-gssdeleg" xreflabel="gssdeleg">
- <term><literal>gssdeleg</literal></term>
+ <varlistentry id="libpq-connect-gssdelegation" xreflabel="gssdelegation">
+ <term><literal>gssdelegation</literal></term>
<listitem>
<para>
Forward (delegate) GSS credentials to the server. The default is
@@ -8271,10 +8271,10 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
<listitem>
<para>
<indexterm>
- <primary><envar>PGGSSDELEG</envar></primary>
+ <primary><envar>PGGSSDELEGATION</envar></primary>
</indexterm>
- <envar>PGGSSDELEG</envar> behaves the same as the <xref
- linkend="libpq-connect-gssdeleg"/> connection parameter.
+ <envar>PGGSSDELEGATION</envar> behaves the same as the <xref
+ linkend="libpq-connect-gssdelegation"/> connection parameter.
</para>
</listitem>
diff --git a/src/backend/foreign/foreign.c b/src/backend/foreign/foreign.c
index 6e1977fa62..ca3ad55b62 100644
--- a/src/backend/foreign/foreign.c
+++ b/src/backend/foreign/foreign.c
@@ -574,7 +574,7 @@ static const struct ConnectionOption libpq_conninfo_options[] = {
{"requiressl", ForeignServerRelationId},
{"sslmode", ForeignServerRelationId},
{"gsslib", ForeignServerRelationId},
- {"gssdeleg", ForeignServerRelationId},
+ {"gssdelegation", ForeignServerRelationId},
{NULL, InvalidOid}
};
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 0dc31988b4..de0e13e50d 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -97,7 +97,7 @@ pg_GSS_continue(PGconn *conn, int payloadlen)
if (!pg_GSS_have_cred_cache(&conn->gcred))
conn->gcred = GSS_C_NO_CREDENTIAL;
- if (conn->gssdeleg && pg_strcasecmp(conn->gssdeleg, "enable") == 0)
+ if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
gss_flags |= GSS_C_DELEG_FLAG;
maj_stat = gss_init_sec_context(&min_stat,
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 30486c59ba..786d22a770 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -343,9 +343,9 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"GSS-library", "", 7, /* sizeof("gssapi") == 7 */
offsetof(struct pg_conn, gsslib)},
- {"gssdeleg", "PGGSSDELEG", NULL, NULL,
+ {"gssdelegation", "PGGSSDELEGATION", NULL, NULL,
"GSS-delegation", "", 8, /* sizeof("disable") == 8 */
- offsetof(struct pg_conn, gssdeleg)},
+ offsetof(struct pg_conn, gssdelegation)},
{"replication", NULL, NULL, NULL,
"Replication", "D", 5,
@@ -4453,7 +4453,7 @@ freePGconn(PGconn *conn)
free(conn->gssencmode);
free(conn->krbsrvname);
free(conn->gsslib);
- free(conn->gssdeleg);
+ free(conn->gssdelegation);
free(conn->connip);
/* Note that conn->Pfdebug is not ours to close or free */
free(conn->write_err_msg);
diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
index 3b2d0fd140..268970eaa0 100644
--- a/src/interfaces/libpq/fe-secure-gssapi.c
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
@@ -622,14 +622,14 @@ pqsecure_open_gss(PGconn *conn)
if (ret != STATUS_OK)
return PGRES_POLLING_FAILED;
- if (conn->gssdeleg && pg_strcasecmp(conn->gssdeleg, "enable") == 0)
+ if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
{
/* Acquire credentials if possible */
if (conn->gcred == GSS_C_NO_CREDENTIAL)
(void) pg_GSS_have_cred_cache(&conn->gcred);
/*
- * We have credentials and gssdeleg is enabled, so request credential
+ * We have credentials and gssdelegation is enabled, so request credential
* delegation. This may or may not actually result in credentials
* being delegated- it depends on if the forwardable flag has been set
* in the credential and if the server is configured to accept
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index e985b57cb5..f1854f9919 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -404,7 +404,7 @@ struct pg_conn
char *krbsrvname; /* Kerberos service name */
char *gsslib; /* What GSS library to use ("gssapi" or
* "sspi") */
- char *gssdeleg; /* Try to delegate GSS credentials? */
+ char *gssdelegation; /* Try to delegate GSS credentials? */
char *ssl_min_protocol_version; /* minimum TLS protocol version */
char *ssl_max_protocol_version; /* maximum TLS protocol version */
char *target_session_attrs; /* desired session properties */
diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index 5aff49a513..ba307b36a2 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -381,7 +381,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -391,7 +391,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -480,7 +480,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -490,7 +490,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -504,7 +504,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -514,7 +514,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -528,7 +528,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)"
@@ -538,7 +538,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)"
@@ -558,7 +558,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=require gssdeleg=disable',
+ 'gssencmode=require gssdelegation=disable',
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
@@ -572,7 +572,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3', 'dblink attempt fails without delegated credentials');
@@ -589,7 +589,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -608,7 +608,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf1;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3', 'postgres_fdw does not work without delegated credentials');
@@ -626,7 +626,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf2;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -668,7 +668,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, deleg_credentials=yes, principal=test1\@$realm)"
@@ -680,7 +680,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssencmode=disable gssdeleg=enable',
+ 'gssencmode=disable gssdelegation=enable',
'succeeds with GSS encryption disabled and hostnogssenc hba',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, deleg_credentials=yes, principal=test1\@$realm)"
@@ -691,7 +691,7 @@ test_query(
'test1',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
qr/^1$/s,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
);
@@ -700,7 +700,7 @@ test_query(
'test1',
"TABLE tf1;",
qr/^1$/s,
- 'gssencmode=prefer gssdeleg=enable',
+ 'gssencmode=prefer gssdelegation=enable',
'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
);
@@ -711,7 +711,7 @@ $psql_rc = $node->psql(
'postgres',
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdeleg=enable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -730,7 +730,7 @@ $psql_rc = $node->psql(
'postgres',
"TABLE tf2;",
connstr =>
- "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdeleg=enable",
+ "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
stdout => \$psql_out,
stderr => \$psql_stderr);
is($psql_rc, '3',
@@ -760,7 +760,7 @@ test_access(
'test1',
'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
0,
- 'gssdeleg=enable',
+ 'gssdelegation=enable',
'succeeds with include_realm=0 and defaults',
"connection authenticated: identity=\"test1\@$realm\" method=gss",
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)"
@@ -771,12 +771,12 @@ test_query(
'test1',
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);",
qr/^1$/s,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'dblink works encrypted');
test_query(
$node, 'test1', "TABLE tf1;", qr/^1$/s,
- 'gssencmode=require gssdeleg=enable',
+ 'gssencmode=require gssdelegation=enable',
'postgres_fdw works encrypted');
# Reset pg_hba.conf, and cause a usermap failure with an authentication
