Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

onn->errorMessage, -+libpq_gettext("weak sslmode \"%s\" may not be used with sslrootcert=system\n"), -+conn->sslmode); ++ libpq_append_conn_error(conn, "weak sslmode

Can we let extensions change their dumped catalog schemas?

Hi all, I've been talking to other Timescale devs about a requested change to pg_dump, and there's been quite a bit of back-and-forth to figure out what, exactly, we want. Any mistakes here are mine, but I think we've been able to distill it down to the following request: We'd like to be allowed

Re: XID formatting and SLRU refactorings (was: Add 64-bit XIDs into PostgreSQL 15)

On Wed, Jan 11, 2023 at 1:48 AM Aleksander Alekseev wrote: > After reading [1] carefully it looks like we shouldn't worry about > this. The upgrade procedure explicitly requires to run `pg_ctl stop` > during step 8 of the upgrade procedure, i.e. not in the immediate mode > [2]. Yeah, pg_upgrade w

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Wed, Jan 11, 2023 at 6:37 AM Jelte Fennema wrote: > > LGTM. As far as I can tell this is ready for a committer. Thanks for the reviews! --Jacob

Re: Can we let extensions change their dumped catalog schemas?

On Tue, Jan 10, 2023 at 7:53 PM Tom Lane wrote: > Jacob Champion writes: > > Unless I'm missing something obvious (please, let it be that) there's no > > way to do this safely. Once you've marked an internal table as dumpable, > > its schema is effectively f

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Wed, Jan 11, 2023 at 10:23 AM Magnus Hagander wrote: > Sorry to jump in (very) late in this game. So first, I like this general > approach :) Thanks! > It feels icky to have to add configure tests just to make a test work. But I > guess there isn't really a way around that if we want to tes

Re: Can we let extensions change their dumped catalog schemas?

On Wed, Jan 11, 2023 at 1:03 PM Tom Lane wrote: > Jacob Champion writes: > > Right, I think it would have to be opt-in. Say, a new control file > > option dump_version or some such. > > That would require all the installed extensions to cope with this > the same way, wh

Re: [EXTERNAL] Re: Support load balancing in libpq

On Wed, Sep 14, 2022 at 7:54 AM Maxim Orlov wrote: > For the patch itself, I think it is better to use a more precise time > function in libpq_prng_init or call it only once. > Thought it is a special corner case, imagine all the connection attempts at > first second will be seeded with the save

Re: [EXTERNAL] Re: Support load balancing in libpq

On Fri, Jan 13, 2023 at 9:10 AM Jelte Fennema wrote: > > > Just a quick single-issue review, but I agree with Maxim that having > > one PRNG, seeded once, would be simpler > > I don't agree that it's simpler. Because now there's a mutex you have > to manage, and honestly cross-platform threading i

Re: [PoC] Federated Authn/z with OAUTHBEARER

On Sun, Jan 15, 2023 at 12:03 PM Andrey Chudnovsky wrote: > 2. Removed Device Code implementation in libpq. Several reasons: >- Reduce scope and focus on the protocol first. >- Device code implementation uses iddawc dependency. Taking this > dependency is a controversial step which require

Re: [EXTERNAL] Re: Support load balancing in libpq

On Fri, Jan 13, 2023 at 10:44 AM Jacob Champion wrote: > And my thought was that the one-time > initialization could be moved to a place that doesn't need to know the > connection options at all, to make it easier to reason about the > architecture. Say, next to the WSAStartup

Re: Can we let extensions change their dumped catalog schemas?

On 1/12/23 11:04, Jacob Champion wrote: > On Wed, Jan 11, 2023 at 1:03 PM Tom Lane wrote: >> Jacob Champion writes: >>> Right, I think it would have to be opt-in. Say, a new control file >>> option dump_version or some such. >> >> That would require all the

Re: Data is copied twice when specifying both child and parent table in publication

On Mon, Mar 20, 2023 at 11:22 PM Amit Kapila wrote: > If the tests you have in mind are only related to this patch set then > feel free to propose them here if you feel the current ones are not > sufficient. I think the new tests added by Wang cover my concerns (thanks!). I share Peter's comment

Re: Data is copied twice when specifying both child and parent table in publication

On Tue, Mar 28, 2023 at 2:59 AM wangw.f...@fujitsu.com wrote: > The scenario of this bug is to subscribe to two publications at the same time, > and these two publications publish parent table and child table respectively. > And option via_root is specified in both publications or only in the > p

Re: zstd compression for pg_dump

On Wed, Mar 15, 2023 at 9:50 PM Justin Pryzby wrote: > On Fri, Mar 10, 2023 at 12:48:13PM -0800, Jacob Champion wrote: > > It looks like pg_dump's meson.build is missing dependencies on zstd > > (meson couldn't find the headers in the subproject without them). > >

Re: zstd compression for pg_dump

On Wed, Mar 29, 2023 at 6:35 AM Justin Pryzby wrote: > If you have a zstd library with thread support, you could test with > -Z zstd:workers=3. But I think threads aren't enabled in the common > libzstd packages. Jacob figured out how to compile libzstd easily using > "meson wraps" - but I don't

Re: Data is copied twice when specifying both child and parent table in publication

On Wed, Mar 29, 2023 at 2:00 AM Amit Kapila wrote: > Pushed. While rebasing my logical-roots patch over the top of this, I ran into another situation where mixed viaroot settings can duplicate data. The key idea is to subscribe to two publications with mixed settings, as before, and add a partiti

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On 3/31/23 02:14, Daniel Gustafsson wrote: >> On 14 Mar 2023, at 20:20, Jacob Champion wrote: > >> Rebased over yesterday's Meson changes in v8. > > I had a look at this and agree that it's something we should do. Great, thanks for the review! > + # Let t

Re: Data is copied twice when specifying both child and parent table in publication

On 3/30/23 20:01, Peter Smith wrote: > For example, Just imagine if logic could be made smarter to recognize > that since there was already the 'part_def' being subscribed so it > should NOT use the default 'copy_data=true' when the REFRESH launches > the ancestor table 'part'... > > Even if that

Re: Data is copied twice when specifying both child and parent table in publication

On 3/31/23 03:04, shiy.f...@fujitsu.com wrote: > I noticed that a similar problem has been discussed in this thread, see [1] > [2] > [3] [4]. Ah, thank you. I didn't go far back enough in the thread... > It seems complicated to fix it if we want to automatically skip tables > that have been sync

Re: RFC: logical publication via inheritance root?

On Fri, Mar 31, 2023 at 3:17 PM Peter Smith wrote: > OK, my understanding is that TimescaleDB uses some kind of > quasi-partitioned/inherited tables (aka hypertables? [1]) internally, > and your proposed WIP patch provides a set_logical_root() function > which combines with the logical replication

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Sun, Apr 2, 2023 at 1:36 PM Daniel Gustafsson wrote: > > On 31 Mar 2023, at 19:59, Jacob Champion wrote: > > I can make that change; note that it'll also skip some of the new tests > > with OpenSSL 1.0.1, where there's no SSL_CTX_set_cert_cb. If that's >

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

- - ## src/include/pg_config.h.in ## -@@ -don't. */ - #undef HAVE_DECL_F_FULLFSYNC - -+/* Define to 1 if you have the declaration of `LIBRESSL_VERSION_NUMBER', and -+ to 0 if you don't. */ -+#undef HAVE_DECL_LIBRESSL_VERSION_NUMBER -+ - /* D

Re: RFC: logical publication via inheritance root?

On Mon, Apr 3, 2023 at 8:53 PM Peter Smith wrote: > > FYI, the WIP patch does not seem to apply cleanly anymore using the latest > HEAD. Yes, sorry -- after 062a84442, the architecture needs to change in a way that I'm still working through. I've moved the patch to Waiting on Author while I figu

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Wed, Apr 5, 2023 at 2:27 PM Daniel Gustafsson wrote: > I squashed and pushed v10 with a few small comment tweaks for typos and some > pgindenting. Thanks! Thank you very much! --Jacob

Re: [PATCH] Allow Postgres to pick an unused port to listen

On Fri, Apr 7, 2023 at 5:07 AM Andrew Dunstan wrote: > For TAP tests we have pretty much resolved the port collisions issue for TCP > ports too. See commit 9b4eafcaf4 The Cirrus config still has the following for the Windows tests: # Avoids port conflicts between concurrent tap test runs

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Wed, Apr 12, 2023 at 2:24 AM Daniel Gustafsson wrote: > > On 12 Apr 2023, at 09:11, Peter Eisentraut > > wrote: > > # Failed test 'sslrootcert=system does not connect with private CA: > > matches' > > # at t/001_ssltests.pl line 479. > > # 'psql: error: connection to se

Re: postgres_fdw, dblink, and CREATE SUBSCRIPTION security

On 3/30/23 05:58, Robert Haas wrote: > On Fri, Mar 24, 2023 at 5:47 PM Jacob Champion > wrote: >> Okay, but this is walking back from the network example you just >> described upthread. Do you still consider that in scope, or...? > > Sorry, I don't know which examp

Re: postgres_fdw, dblink, and CREATE SUBSCRIPTION security

On 3/30/23 11:13, Stephen Frost wrote: >> Okay, but this is walking back from the network example you just >> described upthread. Do you still consider that in scope, or...? > > The concern around the network certainly needs to be in-scope overall. Sounds good! > Who are we trusting with what?

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

(Peter, your emails are being redirected to spam for me, FYI. Something about messagingengine.) On Wed, Apr 12, 2023 at 12:57 PM Daniel Gustafsson wrote: > > On 12 Apr 2023, at 21:43, Peter Eisentraut > > wrote: > > On 12.04.23 18:54, Jacob Champion wrote: > >> Peter

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Fri, Apr 14, 2023 at 7:20 AM Daniel Gustafsson wrote: > And again with the attachment. After some sleep... From inspection I think the final EOF branch could be masked by the new branch, if verification has failed but was already ignored. To test that, I tried hanging up on the client partway

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Fri, Apr 14, 2023 at 3:36 PM Daniel Gustafsson wrote: > This "error: Success" error has been reported to the list numerous times as > misleading, and I'd love to make progress on improving error reporting during > the v17 cycle. Agreed! > The attached checks for the specific known error, and

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

me. --Jacob From d791e61b7af76674697e8b217c2531c2da5aacf3 Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Wed, 12 Apr 2023 13:22:31 -0700 Subject: [PATCH v99] CI: undo Homebrew OpenSSL workaround ...after 0b5d1fb36, which recognizes the "unregistered scheme" error condition

Re: [PoC] Federated Authn/z with OAUTHBEARER

On Fri, Sep 23, 2022 at 3:39 PM Jacob Champion wrote: > Here's a newly rebased v5. (They're all zipped now, which I probably > should have done a while back, sorry.) To keep this current, v7 is rebased over latest, without the pluggable authentication patches. This doesn&#

Re: [PATCH] Accept IP addresses in server certificate SANs

On Thu, 2022-03-24 at 17:10 +0900, Kyotaro Horiguchi wrote: > I'm fine with it. Thanks. I marked it as Ready-for-Commiter. Thank you for the reviews and feedback! --Jacob

Re: [PATCH] Expose port->authn_id to extensions and triggers

On Wed, 2022-03-23 at 16:54 -0700, Andres Freund wrote: > On 2022-03-23 23:06:14 +0000, Jacob Champion wrote: > > On Wed, 2022-03-23 at 19:00 -0400, Tom Lane wrote: > > > Hm. I was more envisioning getting the "sharable" info out of Port > > > entirely, althou

Re: [PATCH] Enable SSL library detection via PQsslAttribute

On Fri, 2022-03-25 at 15:32 -0400, Robert Haas wrote: > On Mon, Feb 28, 2022 at 3:21 PM Jacob Champion wrote: > > v3 rebases over Andres' changes and actually adds the Perl driver that > > I missed the git-add for. > > This seems totally reasonable. However, I

Re: [PATCH] Enable SSL library detection via PQsslAttribute

On Fri, 2022-03-25 at 18:00 -0400, Tom Lane wrote: > Jacob Champion writes: > > Do I need to merge my tiny test program into the libpq_pipeline tests? > > Doesn't seem worth the trouble to me, notably because you'd > then have to cope with non-SSL builds too. Fine b

Re: [PATCH] Accept IP addresses in server certificate SANs

uld fix the apply failures that Greg pointed out. --Jacob From 0025dcecab2d05c30e118105ea7d461ce98a8466 Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Wed, 24 Nov 2021 14:46:11 -0800 Subject: [PATCH v11 1/3] Move inet_net_pton() to src/port This will be helpful for IP address verification

Re: [PATCH] Enable SSL library detection via PQsslAttribute

On Tue, 2022-03-29 at 14:08 +0200, Daniel Gustafsson wrote: > Pushed with a few small tweaks to make it match project style, thanks! Thank you! --Jacob

Re: [PATCH] Expose port->authn_id to extensions and triggers

ction -- it feels safer. v8 rebases over the recent SSL changes to get the cfbot green again. Thanks, --Jacob commit bd02c608e3053217056464a31dff49344ca3a5f3 Author: Jacob Champion Date: Tue Mar 29 16:26:52 2022 -0700 fixup! Add API to retrieve authn_id from SQL diff --git a/src/t

Re: [PATCH] Expose port->authn_id to extensions and triggers

On Tue, 2022-03-29 at 16:53 -0700, Andres Freund wrote: > > We'd also need to guess whether the GUC system's serialization of NULL > > as an empty string is likely to cause problems for any future auth > > methods. > > You can't represent a NULL in a postgres 'text' datum, independent of > paralle

Re: [PATCH] Accept IP addresses in server certificate SANs

On Wed, 2022-03-30 at 13:37 +0200, Peter Eisentraut wrote: > On 28.03.22 22:21, Jacob Champion wrote: > > On Mon, 2022-03-28 at 11:17 +0200, Daniel Gustafsson wrote: > > > Fixing up the switch_server_cert() calls and using default_ssl_connstr > > > makes > > >

Re: [PATCH] Accept IP addresses in server certificate SANs

ould work with Winsock as-is; let's see if the bot agrees... Thanks, --Jacob From a973663f1b4b98a427692bb6291ddc2c3ce9bb4f Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Thu, 18 Nov 2021 15:36:18 -0800 Subject: [PATCH v12] libpq: allow IP address SANs in server certs The curr

Re: [PATCH] Expose port->authn_id to extensions and triggers

On Tue, 2022-03-29 at 23:38 +, Jacob Champion wrote: > v8 rebases over the recent SSL changes to get the cfbot green again. I think the Windows failure [1] is unrelated to this patch, but for posterity: > [03:01:58.925] c:\cirrus>call "C:/Program Files/Git/usr/bin/timeout.ex

Re: [PATCH] Accept IP addresses in server certificate SANs

On Fri, 2022-04-01 at 16:07 +0200, Peter Eisentraut wrote: > I have committed this. > > I have removed the inet header refactoring that you had. That wasn't > necessary, since pg_inet_net_ntop() can use the normal AF_INET* > constants. The PGSQL_AF_INET* constants are only for the internal > sto

Re: [PATCH] Expose port->authn_id to extensions and triggers

On Tue, 2022-04-05 at 15:13 +0900, Michael Paquier wrote: > On Wed, Mar 30, 2022 at 04:02:09PM +0000, Jacob Champion wrote: > > Whether that's a problem in the future entirely depends on whether > > there's some authentication method that considers the empty string

Re: [PATCH] Expose port->authn_id to extensions and triggers

On Wed, 2022-04-06 at 20:09 +0900, Michael Paquier wrote: > > The current patch already handles NULL with a byte of overhead; is > > there any advantage to using noError? (It might make things messier > > once a second member gets added to the struct.) My concern was directed > > at the GUC proposa

Re: Readd use of TAP subtests

On Mon, 2022-02-28 at 17:02 +0100, Peter Eisentraut wrote: > Perhaps in another 7 years or so this will be resolved and we can make > another attempt at this. ;-) For what it's worth, the TAP 14 spec was officially released today: https://testanything.org/tap-version-14-specification.html -

Re: pg_dump needs SELECT privileges on irrelevant extension table

On Wed, Oct 18, 2023 at 1:25 PM Tom Lane wrote: > Stephen Frost writes: > > This change would mean that policies added by a user after the extension > > is created would just be lost by a pg_dump/reload, doesn't it? > > Yes. But I'd say that's unsupported, just like making other ad-hoc > changes

Re: Row pattern recognition

ation and grouping will ratchet up the complexity. Thanks! --Jacob From fb3cbb6f99f0fe7b05027759454d7e0013225929 Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Fri, 20 Oct 2023 16:11:14 -0700 Subject: [PATCH 2/2] squash! Row pattern recognition patch (executor). - Extract pattern ma

Re: Row pattern recognition

On Tue, Oct 24, 2023 at 7:49 PM Tatsuo Ishii wrote: > I am impressed the simple NFA implementation. Thanks! > It would be nicer if it > could be implemented without using recursion. Yeah. If for some reason we end up going with a bespoke implementation, I assume we'd just convert the algorithm

Re: [PoC] Federated Authn/z with OAUTHBEARER

On Fri, Nov 3, 2023 at 5:28 AM Shlok Kyal wrote: > Just want to make sure you are aware of these failures. Thanks for the nudge! Looks like I need to reconcile with the changes to JsonLexContext in 1c99cde2. I should be able to get to that next week; in the meantime I'll mark it Waiting on Author

Re: pg_dump needs SELECT privileges on irrelevant extension table

On Thu, Nov 9, 2023 at 11:02 AM Tom Lane wrote: > I'm hearing nothing but crickets :-( Yeah :/ Based on your arguments above, it sounds like your patch may improve several other corner cases when backported, so that sounds good overall to me. My best guess is that Timescale will be happy with th

Re: pg_dump needs SELECT privileges on irrelevant extension table

> commit a70f2a57f233244c0a780829baf48c624187d456 > Author: Tom Lane > Date: Mon Nov 13 17:04:10 2023 -0500 > >Don't try to dump RLS policies or security labels for extension objects. (Thanks Tom!) --Jacob

Re: [PoC] Federated Authn/z with OAUTHBEARER

On Thu, Nov 9, 2023 at 5:43 PM Andrey Chudnovsky wrote: > Do you plan to support adding an extension hook to validate the token? > > It would allow a more efficient integration, then spinning a separate process. I think an API in the style of archive modules might probably be a good way to go, ye

Re: WIP Incremental JSON Parser

since the clients have to parse JSON as well. Those responses tend to be smaller, though, so you'd have to really be hurting for resources to need this. --Jacob commit 79d0dc78b9f3b0bbc078876417b8f46970308e6e Author: Jacob Champion Date: Thu Jan 4 11:46:06 2024 -0800 WIP: try to sp

Re: [PoC] Federated Authn/z with OAUTHBEARER

On Tue, Dec 5, 2023 at 1:44 AM Daniel Gustafsson wrote: > > > On 8 Nov 2023, at 20:00, Jacob Champion wrote: > > > Unfortunately the configure/Makefile build of libpq now seems to be > > pulling in an `exit()` dependency in a way that Meson does not. > > I believe t

Re: [PATCH] Support SK_SEARCHNULL / SK_SEARCHNOTNULL for heap-only scans

On 7/19/23 16:44, Jacob Champion wrote: > This patch pushes down any > forced-null and not-null Vars as ScanKeys. It doesn't remove the > redundant quals after turning them into ScanKeys, so it's needlessly > inefficient, but there's still a decent speedup for some o

Re: [PoC] Federated Authn/z with OAUTHBEARER

v11 is a quick rebase over the recent Cirrus changes, and I've dropped 0006 now that psycopg2 can build against BSD/Meson setups (thanks Daniele!). --Jacob1: 0278c7ba90 = 1: 36409a76ce common/jsonapi: support FRONTEND clients 2: bb3ce4b6a9 = 2: 1356b729db libpq: add OAUTHBEARER SASL mechanism

Re: Row pattern recognition

Hello! > (1) I completely changed the pattern matching engine so that it > performs backtracking. Now the engine evaluates all pattern elements > defined in PATTER against each row, saving matched pattern variables > in a string per row. For example if the pattern element A and B > evaluated to tr

Re: Row pattern recognition

On 9/7/23 20:54, Tatsuo Ishii wrote: >> DEFINE >> A AS PREV(CLASSIFIER()) IS DISTINCT FROM 'A', >> ... > > But: > > UP AS price > PREV(price) > > also depends on previous row, no? PREV(CLASSIFIER()) depends not on the value of the previous row but the state of the match so far.

Re: Row pattern recognition

On Sat, Sep 9, 2023 at 4:21 AM Tatsuo Ishii wrote: > Then we will get for str_set: > r0: B > r1: AB > > Because r0 only has classifier B, r1 can have A and B. Problem is, > r2. If we choose A at r1, then r2 = B. But if we choose B at t1, then > r2 = AB. I guess this is the issue you pointed out.

Re: sslinfo extension - add notbefore and notafter timestamps

Hello, On 7/25/23 07:21, Daniel Gustafsson wrote: > The attached version passes ssl tests for me on 1.0.2 through OpenSSL Git > HEAD. Tests pass for me too, including LibreSSL 3.8. > + /* Calculate the diff from the epoch to the certificat timestamp */ "certificate" > + ssl_client_get_n

Re: Row pattern recognition

On Mon, Sep 11, 2023 at 11:18 PM Tatsuo Ishii wrote: > What I am not sure about is, you and Vik mentioned that the > traditional NFA is superior that POSIX NFA in terms of performance. > But how "lexicographic ordering" is related to performance? I think they're only tangentially related. POSIX N

Re: Row pattern recognition

On Fri, Sep 22, 2023, 3:13 AM Tatsuo Ishii wrote: > > Op 9/22/23 om 07:16 schreef Tatsuo Ishii: > >>> Attached is the fix against v6 patch. I will include this in upcoming > >>> v7 patch. > >> Attached is the v7 patch. It includes the fix mentioned above. Also > > (Champion's address bounced; re

Re: Support for NSS as a libpq TLS backend

On Wed, 2021-12-15 at 23:10 +0100, Daniel Gustafsson wrote: > I've attached a v50 which fixes the issues found by Joshua upthread, as well > as > rebases on top of all the recent SSL and pgcrypto changes. I'm currently tracking down a slot leak. When opening and closing large numbers of NSS datab

Re: Support for NSS as a libpq TLS backend

On Wed, 2022-01-19 at 10:01 +0100, Daniel Gustafsson wrote: > > On 18 Jan 2022, at 17:37, Jacob Champion wrote: > > > > On Wed, 2021-12-15 at 23:10 +0100, Daniel Gustafsson wrote: > > > I've attached a v50 which fixes the issues found by Joshua upthread, as >

Re: Support for NSS as a libpq TLS backend

On Tue, 2022-01-25 at 22:26 +, Jacob Champion wrote: > On Wed, 2022-01-19 at 10:01 +0100, Daniel Gustafsson wrote: > > > On 18 Jan 2022, at 17:37, Jacob Champion wrote: > > > > > > On Wed, 2021-12-15 at 23:10 +0100, Daniel Gustafsson wrote: > > > >

Re: Support for NSS as a libpq TLS backend

On Wed, 2022-01-26 at 15:59 -0800, Andres Freund wrote: > > > Do we have a testcase for embedded NULLs in common names? > > > > We don't, neither for OpenSSL or NSS. AFAICR Jacob spent days trying to > > get a > > certificate generation to include an embedded NULL byte but in the end gave > > u

Re: [PoC] Delegating pg_ident to a third party

On Mon, 2022-01-10 at 15:09 -0500, Stephen Frost wrote: > Greetings, Sorry for the delay, the last few weeks have been insane. > * Jacob Champion (pchamp...@vmware.com) wrote: > > On Tue, 2022-01-04 at 22:24 -0500, Stephen Frost wrote: > > > On Tue, Jan 4, 2022 at 18:56

Re: [PATCH] Accept IP addresses in server certificate SANs

On Mon, 2022-01-31 at 17:29 +0900, Kyotaro Horiguchi wrote: > However, 0002, > > +/* > + * In a frontend build, we can't include inet.h, but we still need to have > + * sensible definitions of these two constants. Note that pg_inet_net_ntop() > + * assumes that PGSQL_AF_INET is equal to AF_INET.

Re: [PATCH] Accept IP addresses in server certificate SANs

On Thu, 2022-02-03 at 16:23 +0900, Kyotaro Horiguchi wrote: > At Wed, 2 Feb 2022 19:46:13 +0000, Jacob Champion > wrote in > > On Mon, 2022-01-31 at 17:29 +0900, Kyotaro Horiguchi wrote: > > > +#define PGSQL_AF_INET (AF_INET + 0) > > > +#defi

Re: [PATCH] Accept IP addresses in server certificate SANs

On Mon, 2022-02-07 at 17:29 +0900, Kyotaro Horiguchi wrote: > At Fri, 4 Feb 2022 17:06:53 +0000, Jacob Champion > wrote in > > That works a lot better than what I had in my head. Done that way in > > v4. Thanks! > > Thanks! > > 0002: > > +#define PGS

Re: pgcrypto: Remove internal padding implementation

On Mon, 2022-02-14 at 10:42 +0100, Peter Eisentraut wrote: > This is a rebase of the patch from [0]. It removes the internal padding > implementation in pgcrypto and lets OpenSSL do it. The internal > implementation was once applicable to the non-OpenSSL code paths, but > those have since been

Re: Observability in Postgres

On Wed, 2022-02-16 at 02:10 -0500, Greg Stark wrote: > On Tue, 15 Feb 2022 at 17:37, Magnus Hagander wrote: > > > But I think you'll run into a different problem much earlier. Pretty > > much everything out there is going to want to speak http(s). How are > > you going to terminate that, especial

Re: [PATCH] Accept IP addresses in server certificate SANs

we need to decide whether or not to keep the current "IP address connhost can match a dNSName SAN" behavior, and if so I need to add it to the test cases. (And we need to figure out why the tests are failing in your build, of course.) Thanks! --Jacob From fa93bc48654164d36fc163ee84d8f9b78fe29e96

Re: [PATCH] Support pg_ident mapping for LDAP

On Fri, 2021-10-29 at 17:38 +, Jacob Champion wrote: > v3 attached, which uses the above naming scheme and removes the stale > TODO. Changes in since-v2. v4 rebases over the recent TAP changes. --Jacob From e0f36725013610eade9bc83414c4d1f5adea17e2 Mon Sep 17 00:00:00 2001 From:

Re: Commit fest 2022-11

On 11/3/22 22:18, Ian Lawrence Barwick wrote: > 2022年11月4日(金) 10:23 Ian Lawrence Barwick >: >> 2022年11月4日(金) 9:43 Justin Pryzby >: >> > If I'm not wrong, Jacob used the CF app to bulk-mail people about >> > patches not applying and similar th

Re: User functions for building SCRAM secrets

On Tue, Nov 1, 2022 at 4:02 PM Jacob Champion wrote: > I guess I have fewer problems with this use case in theory, but I'm > wondering if better client-side support might also solve this one as > well, without the additional complication. Is there a reason it would > not?

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Thu, Nov 3, 2022 at 4:39 PM Jacob Champion wrote: > There is an additional test failure with LibreSSL, which doesn't appear > to honor the SSL_CERT_FILE environment variable. This isn't a problem in > production -- if you're using LibreSSL, you'd presumably underst

Re: libpq support for NegotiateProtocolVersion

On 11/8/22 00:40, Peter Eisentraut wrote: > On 02.11.22 20:02, Jacob Champion wrote: >> This new code path doesn't go through the message length checks that are >> done for the 'R' and 'E' cases, and pqGetNegotiateProtocolVersion3() >> doesn't t

Re: User functions for building SCRAM secrets

On 11/8/22 12:26, Peter Eisentraut wrote: > On 04.11.22 21:39, Jacob Champion wrote: >> I don't think it's helpful for me to try to block progress on this >> patchset behind the other one. But is there a way for me to help this >> proposal skate in the same g

Re: User functions for building SCRAM secrets

On Tue, Nov 8, 2022 at 9:28 PM Michael Paquier wrote: > On Tue, Nov 08, 2022 at 04:57:09PM -0800, Jacob Champion wrote: > > But I guess that wouldn't really help with ALTER ROLE ... PASSWORD, > > because you can't parameterize it. Hm... > > Yeah, and I'd like t

Re: libpq support for NegotiateProtocolVersion

On 11/11/22 07:13, Peter Eisentraut wrote: > On 09.11.22 00:08, Jacob Champion wrote: >> pqGetNegotiateProtocolVersion3() is still ignoring the message length, >> though; it won't necessarily stop at the message boundary. > > I don't follow. The calls to pqGet

Re: [PoC] Let libpq reject unexpected authentication requests

bjections from the community. Thank you! I expect a maintainer will need to weigh in on the cost/benefit of 0003 either way. --Jacobcommit e71ea0d0356f5ef2fb4214fc978f835d9fa815f8 Author: Jacob Champion Date: Fri Nov 11 15:55:23 2022 -0800 squash! Add sslcertmode option for client certificates

Re: libpq support for NegotiateProtocolVersion

On 11/13/22 01:21, Peter Eisentraut wrote: > On 11.11.22 23:28, Jacob Champion wrote: >> Put another way, why do we loop around and poll for more data when we >> hit the end of the connection buffer, if we've already checked at this >> point that we should have the entir

Re: [PoC] Let libpq reject unexpected authentication requests

On 11/11/22 22:57, Aleksander Alekseev wrote: > I did a little more research and I think you are right. What happens > according to the C standard: Thanks for confirming! (I personally prefer -1 to a *MAX macro, because it works regardless of the length of the type.) --Jacob

Re: Moving forward with TDE

On Mon, Oct 24, 2022 at 9:29 AM David Christensen wrote: > I would love to open a discussion about how to move forward and get > some of these features built out. The historical threads here are > quite long and complicated; is there a "current state" other than the > wiki that reflects the gener

Re: Moving forward with TDE

y removal of the two variables probably needs some scrutiny). It looks like the testcrypto executable will need substantial changes after the common/hex.h revert. --Jacob From eb4b55f5d03e362cf340f322c0cefbf95f53657a Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Mon, 14 Nov 2022 16:02:57 -080

Re: [PoC] Let libpq reject unexpected authentication requests

e, "require") == 0) { conn->status = CONNECTION_BAD; - appendPQExpBuffer(&conn->errorMessage, - libpq_gettext("sslcertmode value \"%s\" is not suppo

Re: libpq support for NegotiateProtocolVersion

On Tue, Nov 15, 2022 at 2:19 AM Peter Eisentraut wrote: > I think for the current code, the following would be an appropriate > adjustment: > > diff --git a/src/interfaces/libpq/fe-connect.c > b/src/interfaces/libpq/fe-connect.c > index 746e9b4f1efc..d15fb96572d9 100644 > --- a/src/interfaces/libp

Re: [PoC] Federated Authn/z with OAUTHBEARER

On 11/23/22 01:58, mahendrakar s wrote: > We validated on  libpq handling OAuth natively with different flows > with different OIDC certified providers. > > Flows: Device Code, Client Credentials and Refresh Token. > Providers: Microsoft, Google and Okta. Great, thank you! > Also validated with

Re: [PoC] Federated Authn/z with OAUTHBEARER

On 11/23/22 19:45, Andrey Chudnovsky wrote: > Mostly terminology questions here. OAUTHBEARER SASL appears to be the > spec about using OAUTH2 tokens for Authentication. > While any OAUTH2 can generally work, we propose to specifically > highlight that only OIDC providers can be supported, as we nee

Re: [PoC] Federated Authn/z with OAUTHBEARER

On 11/24/22 00:20, mahendrakar s wrote: > I had validated Github by skipping the discovery mechanism and letting > the provider extension pass on the endpoints. This is just for > validation purposes. > If it needs to be supported, then need a way to send the discovery > document from extension. Y

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Thu, Dec 1, 2022 at 9:26 PM Michael Paquier wrote: > On Mon, Nov 07, 2022 at 05:04:14PM -0800, Jacob Champion wrote: > > The macOS/OpenSSL 3.0.0 failure is still unfixed. > > Err, could you look at that? I am switching the patch as waiting on > author. Thanks for the nud

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Fri, Dec 2, 2022 at 9:58 AM Jacob Champion wrote: > Thanks for the nudge -- running with OpenSSL 3.0.7 in CI did not fix > the issue. I suspect a problem with our error stack handling... It is a problem with the error queue, but *whose* problem is probably up for debate. The queue look

Re: [PoC] Federated Authn/z with OAUTHBEARER

On Mon, Dec 5, 2022 at 4:15 PM Andrey Chudnovsky wrote: > I think we can focus on the roles and responsibilities of the components > first. > Details of the patch can be elaborated. Like "flow type code" is a > mistake on our side, and we will use the term "grant_type" which is > defined by OIDC

Re: [PATCH] pg_dump: lock tables in batches

On Wed, Dec 7, 2022 at 2:53 PM Tom Lane wrote: > Is "-s" mode actually a relevant criterion here? With per-table COPY > commands added into the mix you could not possibly get better than 2x > improvement, and likely a good deal less. Don't we hit this code path in pg_upgrade? You won't see huge

Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

On Mon, Dec 5, 2022 at 10:53 AM Jacob Champion wrote: > We are not the first using Homebrew to run into this, and best I can > tell, it is a brew-specific bug. The certificate directory that's been > configured isn't actually installed by the formula. (A colleague here >

<    1   2   3   4   5   6   7   8   9   10   >