Greetings, * Robbie Harwood (rharw...@redhat.com) wrote: > Alvaro Herrera <alvhe...@2ndquadrant.com> writes: > > > How about this? > > > > * If GSSAPI is enabled and we can reach a credential cache, > > * set up a handle for it; if it's operating, just send a > > * GSS startup message, instead of the SSL negotiation and > > * regular startup message below. > > Due to the way postgres handled this historically, there are two ways > GSSAPI can be used: for connection encryption, and for authentication > only. We perform the same dance of sending a "request packet" for > GSSAPI encryption as we do for TLS encryption. So I'd like us to be > precise about which one we're talking about here (encryption).
Alright, that's fair. > The GSSAPI idiom I should have used is "can acquire credentials" (i.e., > instead of "can reach a credential cache" in your proposal). Ok. > There's no such thing as a "GSS startup message". After negotiating > GSSAPI/TLS encryption (or failing to do so), we send the same things in > all cases, which includes negotiation of authentication mechanism if > any. (Negotiating GSSAPI for authentication after negotiating GSSAPI > for encryption will short-circuit rather than establishing a second > context, if I remember right.) Yes, you can see that around src/backend/libpq/auth.c:538 where we skip straight to pg_GSS_checkauth() if we already have encryption up and running, and if we don't then we go through pg_GSS_recvauth() (which will eventually call pg_GSS_checkauth() too). > I wonder if part of the confusion might be due to the synonyms we're > using here for "in use". Things seem to be "got running", "set up", > "operating", "negotiated", ... - maybe that's part of the barrier to > understanding? How about something like this? * If GSSAPI Encryption is enabled, then call pg_GSS_have_cred_cache() * which will return true if we can acquire credentials (and give us a * handle to use in conn->gcred), and then send a packet to the server * asking for GSSAPI Encryption (and skip past SSL negotiation and * regular startup below). Thanks, Stephen
signature.asc
Description: PGP signature
