Hi Hackers,
I found one interesting behavior when "--with-gssapi" is enabled,
given a very "common" configuration in gp_hba.conf like below,
host postgres david 192.168.0.114/32 trust
the query message is always encrypted when using a very "common" way
connect to PG server,
$ psql -h pgserver -d postgres -U david
unless I specify "gssencmode=disable" with -d option,
$ psql -h pgserver -U david -d "dbname=postgres gssencmode=disable"
Based on above behaviors, I did a further exercise on kerberos
regression test and found the test coverage is not enough. It should be
enhanced to cover the above behavior when user specified a "host"
followed by "trust" access in pg_hba.conf.
the attachment is a patch to cover the behaviors mentioned above for
kerberos regression test.
Any thoughts?
Thanks,
--
David
Software Engineer
Highgo Software Inc. (Canada)
www.highgo.ca
diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index b3aeea9574..7c2e65ce76 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -19,7 +19,7 @@ use Test::More;
if ($ENV{with_gssapi} eq 'yes')
{
- plan tests => 18;
+ plan tests => 20;
}
else
{
@@ -333,3 +333,25 @@ test_access(
0,
'',
'succeeds with include_realm=0 and defaults');
+
+truncate($node->data_dir . '/pg_ident.conf', 0);
+unlink($node->data_dir . '/pg_hba.conf');
+$node->append_conf('pg_hba.conf',
+ qq{host all all $hostaddr/32 trust});
+$node->restart;
+
+test_access(
+ $node,
+ 'test1',
+ 'SELECT not gss_authenticated AND encrypted from pg_stat_gssapi where
pid = pg_backend_pid();',
+ 0,
+ '',
+ 'succeeds with GSS-encrypted with default gssencmode and host trust
hba');
+
+test_access(
+ $node,
+ "test1",
+ 'SELECT not gss_authenticated and not encrypted from pg_stat_gssapi
where pid = pg_backend_pid();',
+ 0,
+ "gssencmode=disable",
+ "succeeds with GSS encryption disabled with access disabled and host
trust hba");
