Greetings,
* Michael Paquier (michael@paquier.xyz) wrote:
> On Mon, Apr 15, 2019 at 08:24:52AM -0400, Stephen Frost wrote:
> > The tests are really fast enough with one KDC that I don't think it
> > makes sense to have two independent tests.
>
> Perhaps you should add a comment about the need of unicity at the top
> of 001_auth.pl with a short description of the test?
I added some comments there that I think explain why it makes sense to
have just one test file there.
> > Please find attached a patch which updates the protocol.sgml docs that
> > Michael mentioned before, and merges the tests into one test file (while
> > adding in some additional tests to make sure that the server also agrees
> > with what our expectations are, using the pg_stat_gssapi view).
>
> Thanks for addressing all that feedback. Parallel runs look more
> stable on my side. At least it seems that I can re-enable it safely.
Great, glad to hear it.
> > I'll push this soon unless there are concerns. If you get a chance to
> > test the patch out, that would be great. It's working happily for me
> > locally.
>
> + calling gss_init_sec_context() in a loop and sending the result to the
> Some markups should be added here for all function names. Not all the
> clients use C either, so you may want to say "or equivalent"?
I added the markups for function names along with a sentence fragment
saying that the functions referenced are the C GSSAPI bindings, and that
equivilants can be used.
> +test_access($node, 'test1', 'SELECT gss_authenticated AND encrypted
> from pg_stat_gssapi where pid = pg_backend_pid();', 0, '', 'succeeds
> with mapping with default gssencmode and host hba');
> +test_access($node, "test1", 'SELECT gss_authenticated AND encrypted
> from pg_stat_gssapi where pid = pg_backend_pid();', 0,
> "gssencmode=prefer", "succeeds with GSS-encrypted access preferred
> with host hba");
> +test_access($node, "test1", 'SELECT gss_authenticated AND encrypted
> from pg_stat_gssapi where pid = pg_backend_pid();', 0,
> "gssencmode=require", "succeeds with GSS-encrypted access required
> with host hba");
> If you could rework a bit the indentation of the new code added in
> kerberos/t/001_auth.pl that would be nice. I am afraid that the
> current format makes debugging harder than necessary.
I ran perltidy on it, sorry, should have done that before.
> +$node->append_conf('pg_hba.conf',
> + qq{hostgssenc all all $hostaddr/32 gss map=mymap});
> +$node->restart;
> A reload should be enough but not race-condition free, which is why a
> set of restarts is done in this test right? (I have noticed that it
> is done this way since the beginning.)
Right, we want this to be a restart as Peter mentions downthread.
I've now pushed these changes and will mark the open item as addressed.
Thanks!
Stephen