Re: pg16 && GSSAPI && Heimdal/Macos

2025-05-28 Thread Jacob Champion
On Wed, May 28, 2025 at 2:59 PM Tom Lane wrote: > (That should make the above-depicted elog unreachable, but > belt and suspenders too isn't a bad plan.) I like that approach, if delegation on Mac ends up being too much of a pain. --Jacob

Re: pg16 && GSSAPI && Heimdal/Macos

2025-05-28 Thread Tom Lane
Jacob Champion writes: > - I also want to draw attention to the fact that libpq can't claim > that a credential is delegated if it's not; that breaks the security > of our FDWs. So pg_store_delegated_credential() cannot be a no-op. Right. What I had in mind if we cannot find an alternative imple

Re: pg16 && GSSAPI && Heimdal/Macos

2025-05-28 Thread Jacob Champion
On Wed, May 28, 2025 at 9:25 AM Jacob Champion wrote: > Personally, I'd be more happy to "maintain GSS on Mac using > non-deprecated interfaces" than "maintain GSS via Heimdal, > best-effort, some of the time". I think the former puts less of a > burden on our testing matrix. I was curious enough

Re: pg16 && GSSAPI && Heimdal/Macos

2025-05-28 Thread Jacob Champion
On Wed, May 28, 2025 at 8:53 AM Tom Lane wrote: > Even granting that we're okay with letting people build against > Heimdal, I'm not clear on the path forward. Your patch proposes > to effectively disable gss_accept_delegation, which isn't real > palatable (and would require docs and test fixes t

Re: pg16 && GSSAPI && Heimdal/Macos

2025-05-28 Thread Tom Lane
"Todd M. Kover" writes: > Wehere did this end up getting decided? I'm hoping, if it's going to > make it into main/master, it will be able to also make it's way ingo pg18. I don't think anything's been decided. I've expressed my opinion, but I'm just one person. I'd hoped some other people who

Re: pg16 && GSSAPI && Heimdal/Macos

2025-05-28 Thread Todd M. Kover
Wehere did this end up getting decided? I'm hoping, if it's going to make it into main/master, it will be able to also make it's way ingo pg18. As Nico wrote, my interest in opening this was especially for Apple's implementation of Kerberos (and to a lesser extent NetBSD and FreeBSD)'s which, tod

Re: pg16 && GSSAPI && Heimdal/Macos

2025-04-10 Thread Todd M. Kover
> "Todd M. Kover" writes: > > 2) some option that makes the code path for gss_store_cred_into optional > > (what would you want to call it?) > > If we do this, I see no need to call it anything. Just make configure > probe for whether the selected GSS library has gss_store_cred_into. patch

Re: pg16 && GSSAPI && Heimdal/Macos

2025-04-10 Thread Nico Williams
On Wed, Dec 06, 2023 at 06:54:22PM -0500, kov...@omniscient.com wrote: > I wanted to follow up on the decision to blow off Apple's built-in > GSSAPI. Years back, for reasons I never found, Apple switched from MIT > to Heimdal and have been maintaining their own version of it. I'm not > clear how

Re: pg16 && GSSAPI && Heimdal/Macos

2025-04-07 Thread Nico Williams
On Tue, Apr 08, 2025 at 02:18:40AM -0400, Tom Lane wrote: > Nico Williams writes: > > Heimdal in the master branch sure does; I'm the author if > > gss_store_cred_into() and gss_store_cred_into2(). Idk when we'll do an > > 8.0 release though. We've run out of steam. > > Yeah, this is what makes

Re: pg16 && GSSAPI && Heimdal/Macos

2025-04-07 Thread Tom Lane
Nico Williams writes: > On Wed, Dec 06, 2023 at 10:57:15PM -0500, Tom Lane wrote: >> The immediate reason for dropping that support is that Heimdal doesn't >> have gss_store_cred_into(), without which we can't support delegated >> credentials. AFAICT, Apple's version doesn't have that either. >

Re: pg16 && GSSAPI && Heimdal/Macos

2025-04-07 Thread Nico Williams
On Wed, Dec 06, 2023 at 10:57:15PM -0500, Tom Lane wrote: > The immediate reason for dropping that support is that Heimdal doesn't > have gss_store_cred_into(), without which we can't support delegated > credentials. AFAICT, Apple's version doesn't have that either. > We could argue about how impo

Re: pg16 && GSSAPI && Heimdal/Macos

2025-04-07 Thread Nico Williams
On Wed, Dec 06, 2023 at 10:57:15PM -0500, Tom Lane wrote: > The immediate reason for dropping that support is that Heimdal doesn't > have gss_store_cred_into(), without which we can't support delegated > credentials. AFAICT, Apple's version doesn't have that either. > We could argue about how impo

Re: pg16 && GSSAPI && Heimdal/Macos

2025-03-08 Thread Tom Lane
"Todd M. Kover" writes: > 2) some option that makes the code path for gss_store_cred_into optional > (what would you want to call it?) If we do this, I see no need to call it anything. Just make configure probe for whether the selected GSS library has gss_store_cred_into. The other options you

Re: pg16 && GSSAPI && Heimdal/Macos

2025-03-08 Thread Todd M. Kover
> "Todd M. Kover" writes: > > To that end, I'd like to propose a --with-gssapi-client-only type option > > that's mutually exclusive with --with-gssapi that will trigger gssapi > > linkage in just libpq but not in the backend. --with-gssapi would just > > turn on the same flag that --with-gss

Re: pg16 && GSSAPI && Heimdal/Macos

2025-03-08 Thread Todd M. Kover
I spent some quality time with this and wanted to revisit. It still applies for pg17 and master of git (I was mucking about with master in git). > > As you may have surmised, I use a mac as a client and use gssapi pretty > > heavily to interact with numerous postgresql databases. This has stop

Re: pg16 && GSSAPI && Heimdal/Macos

2025-03-08 Thread Tom Lane
"Todd M. Kover" writes: > To that end, I'd like to propose a --with-gssapi-client-only type option > that's mutually exclusive with --with-gssapi that will trigger gssapi > linkage in just libpq but not in the backend. --with-gssapi would just > turn on the same flag that --with-gssapi-client-only

Re: pg16 && GSSAPI && Heimdal/Macos

2023-12-06 Thread Tom Lane
kov...@omniscient.com writes: > Earlier this year, there was a thread about GSSAPI for delegated > credentials and various operating systems ultimately that Heimdal had > atrophied enough that you were comfortable not supporting it anymore as > a GSSAPI library. Yup. > As you may have surmised, I

pg16 && GSSAPI && Heimdal/Macos

2023-12-06 Thread kovert
Earlier this year, there was a thread about GSSAPI for delegated credentials and various operating systems ultimately that Heimdal had atrophied enough that you were comfortable not supporting it anymore as a GSSAPI library. Thread: https://www.postgresql.org/message-id/flat/ZDFTailRZzyGdbXl%40tam