Re: Fwd: [PATCHES] Preliminary GSSAPI Patches
От | Henry B. Hotz |
---|---|
Тема | Re: Fwd: [PATCHES] Preliminary GSSAPI Patches |
Дата | |
Msg-id | 8C1025B6-80F8-414A-BAA6-42F239E1F397@jpl.nasa.gov обсуждение исходный текст |
Ответ на | Fwd: [PATCHES] Preliminary GSSAPI Patches ("Henry B. Hotz" <hotz@jpl.nasa.gov>) |
Ответы |
Re: Fwd: [PATCHES] Preliminary GSSAPI Patches
(Tom Lane <tgl@sss.pgh.pa.us>)
|
Список | pgsql-hackers |
Excuse me for replying to myself, but maybe it would be clearer if I said this the other way around: The existing Kerberos support uses a C API that is not supported in Java or on Windows, and probably never will be. If we want to support Kerberos on *all* platforms (and if we want expandability to non-Kerberos, non-password authentication methods) then Postgres should use the GSSAPI instead. The submitted patches allow that. I tend to regard this as a comparable migration to the Kerb4 -> Kerb5 one. In time it should be a complete replacement. In time we will be able to rip out the existing Kerb5 code. On Apr 30, 2007, at 3:23 PM, Henry B. Hotz wrote: > OK, so posted. ;-) > > To clarify for the larger audience: without the plain "gss" > mechanism, the "gss-np" mechanism provides exactly the same > functionality as the existing krb5 mechanism. It will properly > secure the initial connection, but will not do anything once the > connection is established. If the Kerberos GSSAPI mechanism is > used then it will follow exactly the same naming and file location > conventions. > > What you gain is 1) it builds on Solaris 8+ with the built-in > system Kerberos support (no separate Kerberos install needed), 2) > the mechanism is portable to Java and native Windows clients, and > 3) if you have a mechanism other than Kerberos available (e.g. > SPKM, or SPNEGO/NTLM) in your GSSAPI then you could use it in place > of Kerberos. > > I'm afraid that the politics at work that might have caused an > adoption of a GSSAPI/JGSS Postgres Java client have changed, and > they will be using MySQL instead. |-( Given what I've said here, > I still feel obligated to provide Java mods, but your timeline will > affect mine. > > Begin forwarded message: > >> From: Bruce Momjian <bruce@momjian.us> >> Date: April 30, 2007 2:22:08 PM PDT >> To: "Henry B. Hotz" <hotz@jpl.nasa.gov> >> Subject: Re: [PATCHES] Preliminary GSSAPI Patches >> >> >> Please post this info to the hackers list and we will deal with >> it. I >> am thinking we might just keep this all for 8.4. >> >> --------------------------------------------------------------------- >> ------ >> >> Henry B. Hotz wrote: >>> Thanks! >>> >>> As noted, the patch is incomplete w.r.t. the "gss" auth mech because >>> it does not include code to actually encrypt the channel with the >>> key >>> derived from the auth mech. I confess I have so far been >>> unsuccessful in inserting an additional layer of buffering to handle >>> the block encryption. >>> >>> Would you like a new version of the patch with the incomplete >>> functionality commented out (or otherwise removed)? >>> >>> Absent a volunteer to help, I think I should concentrate on getting >>> the "gss-np" unprotected auth mech supported in the Java client. >>> >>> On Apr 26, 2007, at 4:09 PM, Bruce Momjian wrote: >>> >>>> >>>> Your patch has been added to the PostgreSQL unapplied patches >>>> list at: >>>> >>>> http://momjian.postgresql.org/cgi-bin/pgpatches >>>> >>>> It will be applied as soon as one of the PostgreSQL committers >>>> reviews >>>> and approves it. >>>> >>>> ------------------------------------------------------------------- >>>> --- >>>> ----- >>>> >>>> >>>> Henry B. Hotz wrote: >>>>> These patches have been reasonably tested (and cross-tested) on >>>>> Solaris 9 (SPARC) and MacOS 10.4 (both G4 and Intel) with the >>>>> native >>>>> GSSAPI libraries. They implement the gss-np and (incompletely) >>>>> the >>>>> gss authentication methods. Unlike the current krb5 method gssapi >>>>> has native support in Java and (with the SSPI) on Windows. >>>>> >>>>> I still have bugs in the security layer for the gss method. >>>>> Hopefully will finish getting them ironed out today or tomorrow. >>>>> >>>>> Documentation is in the README.GSSAPI file. Make sure you get it >>>>> created when you apply the patches. >>>>> >>>> >>>> [ Attachment, skipping... ] >>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------ >>>>> --- >>>>> --- >>>>> The opinions expressed in this message are mine, >>>>> not those of Caltech, JPL, NASA, or the US Government. >>>>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu >>>>> >>>>> >>>>> >>>>> ---------------------------(end of >>>>> broadcast)--------------------------- >>>>> TIP 7: You can help support the PostgreSQL project by donating at >>>>> >>>>> http://www.postgresql.org/about/donate >>>> >>>> -- >>>> Bruce Momjian <bruce@momjian.us> http://momjian.us >>>> EnterpriseDB http:// >>>> www.enterprisedb.com >>>> >>>> + If your life is a hard drive, Christ can be your backup. + >>> >>> -------------------------------------------------------------------- >>> ---- >>> The opinions expressed in this message are mine, >>> not those of Caltech, JPL, NASA, or the US Government. >>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu >>> >> >> -- >> Bruce Momjian <bruce@momjian.us> http://momjian.us >> EnterpriseDB http:// >> www.enterprisedb.com >> >> + If your life is a hard drive, Christ can be your backup. + > > > > ---------------------------------------------------------------------- > -- > The opinions expressed in this message are mine, > not those of Caltech, JPL, NASA, or the US Government. > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu > > > > ---------------------------(end of > broadcast)--------------------------- > TIP 3: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faq
В списке pgsql-hackers по дате отправления:
Предыдущее
От: Tom LaneДата:
Сообщение: Re: Allow use of stable functions with constraint exclusion