Expand some more uses of "deleg" to "delegation" or "delegated".
Complete the task begun in 9c0a0e2ed: we don't want to use the
abbreviation "deleg" for GSS delegation in any user-visible places.
(For consistency, this also changes most internal uses too.)
Abhijit Menon-Sen and Tom Lane
Discussion: https://postgr.es/m/949048.1684639317@sss.pgh.pa.us
This commit is contained in:
Tom Lane
parent
f4001a5537
commit
a2eb99a01e
16 changed files with 72 additions and 70 deletions
|
|
@ -172,7 +172,7 @@ ALTER SERVER testserver1 OPTIONS (
|
|||
--requirepeer 'value',
|
||||
krbsrvname 'value',
|
||||
gsslib 'value',
|
||||
gssdeleg 'value'
|
||||
gssdelegation 'value'
|
||||
--replication 'value'
|
||||
);
|
||||
-- Error, invalid list syntax
|
||||
|
|
|
|||
|
|
@ -289,10 +289,10 @@ InitPgFdwOptions(void)
|
|||
{"sslkey", UserMappingRelationId, true},
|
||||
|
||||
/*
|
||||
* gssdeleg is also a libpq option but should be allowed in a user
|
||||
* mapping context too
|
||||
* gssdelegation is also a libpq option but should be allowed in a
|
||||
* user mapping context too
|
||||
*/
|
||||
{"gssdeleg", UserMappingRelationId, true},
|
||||
{"gssdelegation", UserMappingRelationId, true},
|
||||
|
||||
{NULL, InvalidOid, false}
|
||||
};
|
||||
|
|
|
|||
|
|
@ -186,7 +186,7 @@ ALTER SERVER testserver1 OPTIONS (
|
|||
--requirepeer 'value',
|
||||
krbsrvname 'value',
|
||||
gsslib 'value',
|
||||
gssdeleg 'value'
|
||||
gssdelegation 'value'
|
||||
--replication 'value'
|
||||
);
|
||||
|
||||
|
|
|
|||
|
|
@ -2054,8 +2054,8 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
|
|||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry id="libpq-connect-gssdeleg" xreflabel="gssdeleg">
|
||||
<term><literal>gssdeleg</literal></term>
|
||||
<varlistentry id="libpq-connect-gssdelegation" xreflabel="gssdelegation">
|
||||
<term><literal>gssdelegation</literal></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Forward (delegate) GSS credentials to the server. The default is
|
||||
|
|
@ -8271,10 +8271,10 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
|
|||
<listitem>
|
||||
<para>
|
||||
<indexterm>
|
||||
<primary><envar>PGGSSDELEG</envar></primary>
|
||||
<primary><envar>PGGSSDELEGATION</envar></primary>
|
||||
</indexterm>
|
||||
<envar>PGGSSDELEG</envar> behaves the same as the <xref
|
||||
linkend="libpq-connect-gssdeleg"/> connection parameter.
|
||||
<envar>PGGSSDELEGATION</envar> behaves the same as the <xref
|
||||
linkend="libpq-connect-gssdelegation"/> connection parameter.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
|
|
|
|||
|
|
@ -980,7 +980,7 @@ CREATE VIEW pg_stat_gssapi AS
|
|||
S.gss_auth AS gss_authenticated,
|
||||
S.gss_princ AS principal,
|
||||
S.gss_enc AS encrypted,
|
||||
S.gss_deleg AS credentials_delegated
|
||||
S.gss_delegation AS credentials_delegated
|
||||
FROM pg_stat_get_activity(NULL) AS S
|
||||
WHERE S.client_port IS NOT NULL;
|
||||
|
||||
|
|
|
|||
|
|
@ -574,7 +574,7 @@ static const struct ConnectionOption libpq_conninfo_options[] = {
|
|||
{"requiressl", ForeignServerRelationId},
|
||||
{"sslmode", ForeignServerRelationId},
|
||||
{"gsslib", ForeignServerRelationId},
|
||||
{"gssdeleg", ForeignServerRelationId},
|
||||
{"gssdelegation", ForeignServerRelationId},
|
||||
{NULL, InvalidOid}
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -282,14 +282,14 @@ PerformAuthentication(Port *port)
|
|||
|
||||
if (princ)
|
||||
appendStringInfo(&logmsg,
|
||||
_(" GSS (authenticated=%s, encrypted=%s, deleg_credentials=%s, principal=%s)"),
|
||||
_(" GSS (authenticated=%s, encrypted=%s, delegated_credentials=%s, principal=%s)"),
|
||||
be_gssapi_get_auth(port) ? _("yes") : _("no"),
|
||||
be_gssapi_get_enc(port) ? _("yes") : _("no"),
|
||||
be_gssapi_get_delegation(port) ? _("yes") : _("no"),
|
||||
princ);
|
||||
else
|
||||
appendStringInfo(&logmsg,
|
||||
_(" GSS (authenticated=%s, encrypted=%s, deleg_credentials=%s)"),
|
||||
_(" GSS (authenticated=%s, encrypted=%s, delegated_credentials=%s)"),
|
||||
be_gssapi_get_auth(port) ? _("yes") : _("no"),
|
||||
be_gssapi_get_enc(port) ? _("yes") : _("no"),
|
||||
be_gssapi_get_delegation(port) ? _("yes") : _("no"));
|
||||
|
|
|
|||
|
|
@ -57,6 +57,6 @@
|
|||
*/
|
||||
|
||||
/* yyyymmddN */
|
||||
#define CATALOG_VERSION_NO 202305191
|
||||
#define CATALOG_VERSION_NO 202305211
|
||||
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -5415,7 +5415,7 @@
|
|||
prorettype => 'record', proargtypes => 'int4',
|
||||
proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,bool,text,bool,bool,int4,int8}',
|
||||
proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}',
|
||||
proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,gss_deleg,leader_pid,query_id}',
|
||||
proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}',
|
||||
prosrc => 'pg_stat_get_activity' },
|
||||
{ oid => '3318',
|
||||
descr => 'statistics: information about progress of backends running maintenance command',
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ pg_GSS_continue(PGconn *conn, int payloadlen)
|
|||
if (!pg_GSS_have_cred_cache(&conn->gcred))
|
||||
conn->gcred = GSS_C_NO_CREDENTIAL;
|
||||
|
||||
if (conn->gssdeleg && pg_strcasecmp(conn->gssdeleg, "enable") == 0)
|
||||
if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
|
||||
gss_flags |= GSS_C_DELEG_FLAG;
|
||||
|
||||
maj_stat = gss_init_sec_context(&min_stat,
|
||||
|
|
|
|||
|
|
@ -343,9 +343,9 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
|
|||
"GSS-library", "", 7, /* sizeof("gssapi") == 7 */
|
||||
offsetof(struct pg_conn, gsslib)},
|
||||
|
||||
{"gssdeleg", "PGGSSDELEG", NULL, NULL,
|
||||
{"gssdelegation", "PGGSSDELEGATION", NULL, NULL,
|
||||
"GSS-delegation", "", 8, /* sizeof("disable") == 8 */
|
||||
offsetof(struct pg_conn, gssdeleg)},
|
||||
offsetof(struct pg_conn, gssdelegation)},
|
||||
|
||||
{"replication", NULL, NULL, NULL,
|
||||
"Replication", "D", 5,
|
||||
|
|
@ -4453,7 +4453,7 @@ freePGconn(PGconn *conn)
|
|||
free(conn->gssencmode);
|
||||
free(conn->krbsrvname);
|
||||
free(conn->gsslib);
|
||||
free(conn->gssdeleg);
|
||||
free(conn->gssdelegation);
|
||||
free(conn->connip);
|
||||
/* Note that conn->Pfdebug is not ours to close or free */
|
||||
free(conn->write_err_msg);
|
||||
|
|
|
|||
|
|
@ -622,18 +622,18 @@ pqsecure_open_gss(PGconn *conn)
|
|||
if (ret != STATUS_OK)
|
||||
return PGRES_POLLING_FAILED;
|
||||
|
||||
if (conn->gssdeleg && pg_strcasecmp(conn->gssdeleg, "enable") == 0)
|
||||
if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0)
|
||||
{
|
||||
/* Acquire credentials if possible */
|
||||
if (conn->gcred == GSS_C_NO_CREDENTIAL)
|
||||
(void) pg_GSS_have_cred_cache(&conn->gcred);
|
||||
|
||||
/*
|
||||
* We have credentials and gssdeleg is enabled, so request credential
|
||||
* delegation. This may or may not actually result in credentials
|
||||
* being delegated- it depends on if the forwardable flag has been set
|
||||
* in the credential and if the server is configured to accept
|
||||
* delegated credentials.
|
||||
* We have credentials and gssdelegation is enabled, so request
|
||||
* credential delegation. This may or may not actually result in
|
||||
* credentials being delegated- it depends on if the forwardable flag
|
||||
* has been set in the credential and if the server is configured to
|
||||
* accept delegated credentials.
|
||||
*/
|
||||
if (conn->gcred != GSS_C_NO_CREDENTIAL)
|
||||
gss_flags |= GSS_C_DELEG_FLAG;
|
||||
|
|
|
|||
|
|
@ -404,7 +404,7 @@ struct pg_conn
|
|||
char *krbsrvname; /* Kerberos service name */
|
||||
char *gsslib; /* What GSS library to use ("gssapi" or
|
||||
* "sspi") */
|
||||
char *gssdeleg; /* Try to delegate GSS credentials? */
|
||||
char *gssdelegation; /* Try to delegate GSS credentials? */
|
||||
char *ssl_min_protocol_version; /* minimum TLS protocol version */
|
||||
char *ssl_max_protocol_version; /* maximum TLS protocol version */
|
||||
char *target_session_attrs; /* desired session properties */
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@ Running the tests
|
|||
=================
|
||||
|
||||
NOTE: You must have given the --enable-tap-tests argument to configure.
|
||||
Also, to use "make installcheck", you must have built and installed
|
||||
contrib/dblink and contrib/postgres_fdw in addition to the core code.
|
||||
|
||||
Run
|
||||
make check PG_TEST_EXTRA=kerberos
|
||||
|
|
|
|||
|
|
@ -351,7 +351,7 @@ test_access(
|
|||
'',
|
||||
'succeeds with mapping with default gssencmode and host hba, ticket not forwardable',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
||||
);
|
||||
|
||||
test_access(
|
||||
|
|
@ -362,7 +362,7 @@ test_access(
|
|||
'gssencmode=prefer',
|
||||
'succeeds with GSS-encrypted access preferred with host hba, ticket not forwardable',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
||||
);
|
||||
|
||||
test_access(
|
||||
|
|
@ -373,7 +373,7 @@ test_access(
|
|||
'gssencmode=require',
|
||||
'succeeds with GSS-encrypted access required with host hba, ticket not forwardable',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
||||
);
|
||||
|
||||
test_access(
|
||||
|
|
@ -381,20 +381,20 @@ test_access(
|
|||
'test1',
|
||||
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssencmode=prefer gssdeleg=enable',
|
||||
'gssencmode=prefer gssdelegation=enable',
|
||||
'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
||||
);
|
||||
test_access(
|
||||
$node,
|
||||
'test1',
|
||||
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssencmode=require gssdeleg=enable',
|
||||
'gssencmode=require gssdelegation=enable',
|
||||
'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
||||
);
|
||||
|
||||
|
||||
|
|
@ -480,20 +480,20 @@ test_access(
|
|||
'test1',
|
||||
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssencmode=prefer gssdeleg=enable',
|
||||
'gssencmode=prefer gssdelegation=enable',
|
||||
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
||||
);
|
||||
test_access(
|
||||
$node,
|
||||
'test1',
|
||||
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssencmode=require gssdeleg=enable',
|
||||
'gssencmode=require gssdelegation=enable',
|
||||
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
||||
);
|
||||
|
||||
$node->append_conf('postgresql.conf', qq{gss_accept_delegation=off});
|
||||
|
|
@ -504,20 +504,20 @@ test_access(
|
|||
'test1',
|
||||
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssencmode=prefer gssdeleg=enable',
|
||||
'gssencmode=prefer gssdelegation=enable',
|
||||
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
||||
);
|
||||
test_access(
|
||||
$node,
|
||||
'test1',
|
||||
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssencmode=require gssdeleg=enable',
|
||||
'gssencmode=require gssdelegation=enable',
|
||||
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
||||
);
|
||||
|
||||
$node->append_conf('postgresql.conf', qq{gss_accept_delegation=on});
|
||||
|
|
@ -528,20 +528,20 @@ test_access(
|
|||
'test1',
|
||||
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssencmode=prefer gssdeleg=enable',
|
||||
'gssencmode=prefer gssdelegation=enable',
|
||||
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
|
||||
);
|
||||
test_access(
|
||||
$node,
|
||||
'test1',
|
||||
'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssencmode=require gssdeleg=enable',
|
||||
'gssencmode=require gssdelegation=enable',
|
||||
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
|
||||
);
|
||||
test_access(
|
||||
$node,
|
||||
|
|
@ -551,17 +551,17 @@ test_access(
|
|||
'gssencmode=prefer',
|
||||
'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
||||
);
|
||||
test_access(
|
||||
$node,
|
||||
'test1',
|
||||
'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssencmode=require gssdeleg=disable',
|
||||
'gssencmode=require gssdelegation=disable',
|
||||
'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)"
|
||||
);
|
||||
|
||||
my $psql_out = '';
|
||||
|
|
@ -572,7 +572,7 @@ $psql_rc = $node->psql(
|
|||
'postgres',
|
||||
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
|
||||
connstr =>
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
|
||||
stdout => \$psql_out,
|
||||
stderr => \$psql_stderr);
|
||||
is($psql_rc, '3', 'dblink attempt fails without delegated credentials');
|
||||
|
|
@ -589,7 +589,7 @@ $psql_rc = $node->psql(
|
|||
'postgres',
|
||||
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
|
||||
connstr =>
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
|
||||
stdout => \$psql_out,
|
||||
stderr => \$psql_stderr);
|
||||
is($psql_rc, '3',
|
||||
|
|
@ -608,7 +608,7 @@ $psql_rc = $node->psql(
|
|||
'postgres',
|
||||
"TABLE tf1;",
|
||||
connstr =>
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
|
||||
stdout => \$psql_out,
|
||||
stderr => \$psql_stderr);
|
||||
is($psql_rc, '3', 'postgres_fdw does not work without delegated credentials');
|
||||
|
|
@ -626,7 +626,7 @@ $psql_rc = $node->psql(
|
|||
'postgres',
|
||||
"TABLE tf2;",
|
||||
connstr =>
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable",
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable",
|
||||
stdout => \$psql_out,
|
||||
stderr => \$psql_stderr);
|
||||
is($psql_rc, '3',
|
||||
|
|
@ -668,10 +668,10 @@ test_access(
|
|||
'test1',
|
||||
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssencmode=prefer gssdeleg=enable',
|
||||
'gssencmode=prefer gssdelegation=enable',
|
||||
'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, deleg_credentials=yes, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
|
||||
);
|
||||
test_access($node, 'test1', 'SELECT true', 2, 'gssencmode=require',
|
||||
'fails with GSS-encrypted access required and hostnogssenc hba');
|
||||
|
|
@ -680,10 +680,10 @@ test_access(
|
|||
'test1',
|
||||
'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssencmode=disable gssdeleg=enable',
|
||||
'gssencmode=disable gssdelegation=enable',
|
||||
'succeeds with GSS encryption disabled and hostnogssenc hba',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, deleg_credentials=yes, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)"
|
||||
);
|
||||
|
||||
test_query(
|
||||
|
|
@ -691,7 +691,7 @@ test_query(
|
|||
'test1',
|
||||
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);",
|
||||
qr/^1$/s,
|
||||
'gssencmode=prefer gssdeleg=enable',
|
||||
'gssencmode=prefer gssdelegation=enable',
|
||||
'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
|
||||
);
|
||||
|
||||
|
|
@ -700,7 +700,7 @@ test_query(
|
|||
'test1',
|
||||
"TABLE tf1;",
|
||||
qr/^1$/s,
|
||||
'gssencmode=prefer gssdeleg=enable',
|
||||
'gssencmode=prefer gssdelegation=enable',
|
||||
'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)'
|
||||
);
|
||||
|
||||
|
|
@ -711,7 +711,7 @@ $psql_rc = $node->psql(
|
|||
'postgres',
|
||||
"SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);",
|
||||
connstr =>
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdeleg=enable",
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
|
||||
stdout => \$psql_out,
|
||||
stderr => \$psql_stderr);
|
||||
is($psql_rc, '3',
|
||||
|
|
@ -730,7 +730,7 @@ $psql_rc = $node->psql(
|
|||
'postgres',
|
||||
"TABLE tf2;",
|
||||
connstr =>
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdeleg=enable",
|
||||
"user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable",
|
||||
stdout => \$psql_out,
|
||||
stderr => \$psql_stderr);
|
||||
is($psql_rc, '3',
|
||||
|
|
@ -760,10 +760,10 @@ test_access(
|
|||
'test1',
|
||||
'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();',
|
||||
0,
|
||||
'gssdeleg=enable',
|
||||
'gssdelegation=enable',
|
||||
'succeeds with include_realm=0 and defaults',
|
||||
"connection authenticated: identity=\"test1\@$realm\" method=gss",
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)"
|
||||
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)"
|
||||
);
|
||||
|
||||
test_query(
|
||||
|
|
@ -771,12 +771,12 @@ test_query(
|
|||
'test1',
|
||||
"SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);",
|
||||
qr/^1$/s,
|
||||
'gssencmode=require gssdeleg=enable',
|
||||
'gssencmode=require gssdelegation=enable',
|
||||
'dblink works encrypted');
|
||||
|
||||
test_query(
|
||||
$node, 'test1', "TABLE tf1;", qr/^1$/s,
|
||||
'gssencmode=require gssdeleg=enable',
|
||||
'gssencmode=require gssdelegation=enable',
|
||||
'postgres_fdw works encrypted');
|
||||
|
||||
# Reset pg_hba.conf, and cause a usermap failure with an authentication
|
||||
|
|
|
|||
|
|
@ -1760,7 +1760,7 @@ pg_stat_activity| SELECT s.datid,
|
|||
s.query_id,
|
||||
s.query,
|
||||
s.backend_type
|
||||
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id)
|
||||
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
LEFT JOIN pg_database d ON ((s.datid = d.oid)))
|
||||
LEFT JOIN pg_authid u ON ((s.usesysid = u.oid)));
|
||||
pg_stat_all_indexes| SELECT c.oid AS relid,
|
||||
|
|
@ -1877,8 +1877,8 @@ pg_stat_gssapi| SELECT pid,
|
|||
gss_auth AS gss_authenticated,
|
||||
gss_princ AS principal,
|
||||
gss_enc AS encrypted,
|
||||
gss_deleg AS credentials_delegated
|
||||
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id)
|
||||
gss_delegation AS credentials_delegated
|
||||
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
WHERE (client_port IS NOT NULL);
|
||||
pg_stat_io| SELECT backend_type,
|
||||
object,
|
||||
|
|
@ -2078,7 +2078,7 @@ pg_stat_replication| SELECT s.pid,
|
|||
w.sync_priority,
|
||||
w.sync_state,
|
||||
w.reply_time
|
||||
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id)
|
||||
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid)))
|
||||
LEFT JOIN pg_authid u ON ((s.usesysid = u.oid)));
|
||||
pg_stat_replication_slots| SELECT s.slot_name,
|
||||
|
|
@ -2112,7 +2112,7 @@ pg_stat_ssl| SELECT pid,
|
|||
ssl_client_dn AS client_dn,
|
||||
ssl_client_serial AS client_serial,
|
||||
ssl_issuer_dn AS issuer_dn
|
||||
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id)
|
||||
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
WHERE (client_port IS NOT NULL);
|
||||
pg_stat_subscription| SELECT su.oid AS subid,
|
||||
su.subname,
|
||||
|
|
|
|||
Loading…
Reference in a new issue