Re: [PATCH v20] GSSAPI encryption support

Поиск
Список
Период
Сортировка
От Joe Conway
Тема Re: [PATCH v20] GSSAPI encryption support
Дата
Msg-id 500b1be7-d0aa-96a2-9982-d748609faff5@joeconway.com
обсуждение исходный текст
Ответ на Re: [PATCH v20] GSSAPI encryption support  (Stephen Frost <sfrost@snowman.net>)
Ответы Re: [PATCH v20] GSSAPI encryption support  (Magnus Hagander <magnus@hagander.net>)
Список pgsql-hackers
Дерево обсуждения 
On 4/2/19 6:18 PM, Stephen Frost wrote:
> Greetings,
> 
> On Tue, Apr 2, 2019 at 18:10 Peter Eisentraut
> <peter.eisentraut@2ndquadrant.com
> <mailto:peter.eisentraut@2ndquadrant.com>> wrote:
> 
>     On 2019-02-23 17:27, Stephen Frost wrote:
>     >> About pg_hba.conf: The "hostgss" keyword seems a bit confusing. 
>     It only
>     >> applies to encrypted gss-using connections, not all of them.  Maybe
>     >> "hostgssenc" or "hostgsswrap"?
>     > Not quite sure what you mean here, but 'hostgss' seems to be quite
>     well
>     > in-line with what we do for SSL...  as in, we have 'hostssl', we don't
>     > say 'hostsslenc'.  I feel like I'm just not understanding what you
>     mean
>     > by "not all of them".
> 
>     Reading the latest patch, I think this is still a bit confusing.
>     Consider an entry like
> 
>         hostgss all             all             0.0.0.0/0
>     <http://0.0.0.0/0>               gss
> 
>     The "hostgss" part means, the connection is GSS-*encrypted*.  The "gss"
>     entry in the last column means use gss for *authentication*.  But didn't
>     "hostgss" already imply that?  No.  I understand what's going on, but it
>     seems quite confusing.  They both just say "gss"; you have to know a lot
>     about the nuances of pg_hba.conf processing to get that.
> 
>     If you have line like
> 
>         hostgss all             all             0.0.0.0/0
>     <http://0.0.0.0/0>               md5
> 
>     it is not obvious that this means, if GSS-encrypted, use md5.  It could
>     just as well mean, if GSS-authenticated, use md5.
> 
>     The analogy with SSL is such that we use "hostssl" for connections using
>     SSL encryption and "cert" for the authentication method.  So there we
>     use two different words for two different aspects of SSL.
> 
> 
> I don’t view it as confusing, but I’ll change it to hostgssenc as was
> suggested earlier to address that concern.  It’s a bit wordy but if it
> helps reduce confusion then that’s a good thing.

Personally I don't find it as confusing as is either, and I find hostgss
to be a good analog of hostssl. On the other hand hostgssenc is long and
unintuitive. So +1 for leaving as is and -1 one for changing it IMHO.

Joe
-- 
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Stephen Frost
Дата:
Сообщение: Re: [PATCH v20] GSSAPI encryption support
Следующее
От: Amit Langote
Дата:
Сообщение: Re: Ordered Partitioned Table Scans