On Wed, May 28, 2025 at 2:59 PM Tom Lane wrote:
> (That should make the above-depicted elog unreachable, but
> belt and suspenders too isn't a bad plan.)
I like that approach, if delegation on Mac ends up being too much of a pain.
--Jacob
Jacob Champion writes:
> - I also want to draw attention to the fact that libpq can't claim
> that a credential is delegated if it's not; that breaks the security
> of our FDWs. So pg_store_delegated_credential() cannot be a no-op.
Right. What I had in mind if we cannot find an alternative
imple
On Wed, May 28, 2025 at 9:25 AM Jacob Champion
wrote:
> Personally, I'd be more happy to "maintain GSS on Mac using
> non-deprecated interfaces" than "maintain GSS via Heimdal,
> best-effort, some of the time". I think the former puts less of a
> burden on our testing matrix.
I was curious enough
On Wed, May 28, 2025 at 8:53 AM Tom Lane wrote:
> Even granting that we're okay with letting people build against
> Heimdal, I'm not clear on the path forward. Your patch proposes
> to effectively disable gss_accept_delegation, which isn't real
> palatable (and would require docs and test fixes t
"Todd M. Kover" writes:
> Wehere did this end up getting decided? I'm hoping, if it's going to
> make it into main/master, it will be able to also make it's way ingo pg18.
I don't think anything's been decided. I've expressed my opinion,
but I'm just one person. I'd hoped some other people who
Wehere did this end up getting decided? I'm hoping, if it's going to
make it into main/master, it will be able to also make it's way ingo pg18.
As Nico wrote, my interest in opening this was especially for Apple's
implementation of Kerberos (and to a lesser extent NetBSD and FreeBSD)'s
which, tod
> "Todd M. Kover" writes:
> > 2) some option that makes the code path for gss_store_cred_into optional
> > (what would you want to call it?)
>
> If we do this, I see no need to call it anything. Just make configure
> probe for whether the selected GSS library has gss_store_cred_into.
patch
On Wed, Dec 06, 2023 at 06:54:22PM -0500, kov...@omniscient.com wrote:
> I wanted to follow up on the decision to blow off Apple's built-in
> GSSAPI. Years back, for reasons I never found, Apple switched from MIT
> to Heimdal and have been maintaining their own version of it. I'm not
> clear how
On Tue, Apr 08, 2025 at 02:18:40AM -0400, Tom Lane wrote:
> Nico Williams writes:
> > Heimdal in the master branch sure does; I'm the author if
> > gss_store_cred_into() and gss_store_cred_into2(). Idk when we'll do an
> > 8.0 release though. We've run out of steam.
>
> Yeah, this is what makes
Nico Williams writes:
> On Wed, Dec 06, 2023 at 10:57:15PM -0500, Tom Lane wrote:
>> The immediate reason for dropping that support is that Heimdal doesn't
>> have gss_store_cred_into(), without which we can't support delegated
>> credentials. AFAICT, Apple's version doesn't have that either.
>
On Wed, Dec 06, 2023 at 10:57:15PM -0500, Tom Lane wrote:
> The immediate reason for dropping that support is that Heimdal doesn't
> have gss_store_cred_into(), without which we can't support delegated
> credentials. AFAICT, Apple's version doesn't have that either.
> We could argue about how impo
On Wed, Dec 06, 2023 at 10:57:15PM -0500, Tom Lane wrote:
> The immediate reason for dropping that support is that Heimdal doesn't
> have gss_store_cred_into(), without which we can't support delegated
> credentials. AFAICT, Apple's version doesn't have that either.
> We could argue about how impo
"Todd M. Kover" writes:
> 2) some option that makes the code path for gss_store_cred_into optional
> (what would you want to call it?)
If we do this, I see no need to call it anything. Just make configure
probe for whether the selected GSS library has gss_store_cred_into.
The other options you
> "Todd M. Kover" writes:
> > To that end, I'd like to propose a --with-gssapi-client-only type option
> > that's mutually exclusive with --with-gssapi that will trigger gssapi
> > linkage in just libpq but not in the backend. --with-gssapi would just
> > turn on the same flag that --with-gss
I spent some quality time with this and wanted to revisit. It still
applies for pg17 and master of git (I was mucking about with master in
git).
> > As you may have surmised, I use a mac as a client and use gssapi pretty
> > heavily to interact with numerous postgresql databases. This has stop
"Todd M. Kover" writes:
> To that end, I'd like to propose a --with-gssapi-client-only type option
> that's mutually exclusive with --with-gssapi that will trigger gssapi
> linkage in just libpq but not in the backend. --with-gssapi would just
> turn on the same flag that --with-gssapi-client-only
kov...@omniscient.com writes:
> Earlier this year, there was a thread about GSSAPI for delegated
> credentials and various operating systems ultimately that Heimdal had
> atrophied enough that you were comfortable not supporting it anymore as
> a GSSAPI library.
Yup.
> As you may have surmised, I
Earlier this year, there was a thread about GSSAPI for delegated
credentials and various operating systems ultimately that Heimdal had
atrophied enough that you were comfortable not supporting it anymore as
a GSSAPI library.
Thread:
https://www.postgresql.org/message-id/flat/ZDFTailRZzyGdbXl%40tam
18 matches
Mail list logo
