Re: pg16 && GSSAPI && Heimdal/Macos

Jacob Champion <jacob.champion@enterprisedb.com> writes:
> - I also want to draw attention to the fact that libpq can't claim
> that a credential is delegated if it's not; that breaks the security
> of our FDWs. So pg_store_delegated_credential() cannot be a no-op.

Right.  What I had in mind if we cannot find an alternative
implementation was

void
pg_store_delegated_credential(gss_cred_id_t cred)
{
#ifdef HAVE_GSS_STORE_CRED_INTO
...
    major = gss_store_cred_into(&minor,
...
#else
    elog(ERROR, "credential delegation is not implemented");
#endif
}

combined with a check_hook that prevents the gss_accept_delegation
GUC from being set to "true" if not HAVE_GSS_STORE_CRED_INTO.
(That should make the above-depicted elog unreachable, but
belt and suspenders too isn't a bad plan.)

            regards, tom lane