On Mon, Apr 15, 2019 at 08:24:52AM -0400, Stephen Frost wrote:
> The tests are really fast enough with one KDC that I don't think it
> makes sense to have two independent tests.
Perhaps you should add a comment about the need of unicity at the top
of 001_auth.pl with a short description of the test?
> Please find attached a patch which updates the protocol.sgml docs that
> Michael mentioned before, and merges the tests into one test file (while
> adding in some additional tests to make sure that the server also agrees
> with what our expectations are, using the pg_stat_gssapi view).
Thanks for addressing all that feedback. Parallel runs look more
stable on my side. At least it seems that I can re-enable it safely.
> I'll push this soon unless there are concerns. If you get a chance to
> test the patch out, that would be great. It's working happily for me
> locally.
+ calling gss_init_sec_context() in a loop and sending the result to the
Some markups should be added here for all function names. Not all the
clients use C either, so you may want to say "or equivalent"?
+test_access($node, 'test1', 'SELECT gss_authenticated AND encrypted
from pg_stat_gssapi where pid = pg_backend_pid();', 0, '', 'succeeds
with mapping with default gssencmode and host hba');
+test_access($node, "test1", 'SELECT gss_authenticated AND encrypted
from pg_stat_gssapi where pid = pg_backend_pid();', 0,
"gssencmode=prefer", "succeeds with GSS-encrypted access preferred
with host hba");
+test_access($node, "test1", 'SELECT gss_authenticated AND encrypted
from pg_stat_gssapi where pid = pg_backend_pid();', 0,
"gssencmode=require", "succeeds with GSS-encrypted access required
with host hba");
If you could rework a bit the indentation of the new code added in
kerberos/t/001_auth.pl that would be nice. I am afraid that the
current format makes debugging harder than necessary.
+$node->append_conf('pg_hba.conf',
+ qq{hostgssenc all all $hostaddr/32 gss map=mymap});
+$node->restart;
A reload should be enough but not race-condition free, which is why a
set of restarts is done in this test right? (I have noticed that it
is done this way since the beginning.)
--
Michael