Re: [PATCH v20] GSSAPI encryption support
| От | Magnus Hagander |
|---|---|
| Тема | Re: [PATCH v20] GSSAPI encryption support |
| Дата | |
| Msg-id | CABUevEyuNNJv=19foa=ycTfTfBUYOEwM8_Uss5OVKrwBAy+Btw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [PATCH v20] GSSAPI encryption support (Joe Conway <mail@joeconway.com>) |
| Ответы |
Re: [PATCH v20] GSSAPI encryption support
(Stephen Frost <sfrost@snowman.net>)
Re: [PATCH v20] GSSAPI encryption support (Bruce Momjian <bruce@momjian.us>) |
| Список | pgsql-hackers |
On Wed, Apr 3, 2019 at 12:22 AM Joe Conway <mail@joeconway.com> wrote:
On 4/2/19 6:18 PM, Stephen Frost wrote:
> Greetings,
>
> On Tue, Apr 2, 2019 at 18:10 Peter Eisentraut
> <peter.eisentraut@2ndquadrant.com
> <mailto:peter.eisentraut@2ndquadrant.com>> wrote:
>
> On 2019-02-23 17:27, Stephen Frost wrote:
> >> About pg_hba.conf: The "hostgss" keyword seems a bit confusing.
> It only
> >> applies to encrypted gss-using connections, not all of them. Maybe
> >> "hostgssenc" or "hostgsswrap"?
> > Not quite sure what you mean here, but 'hostgss' seems to be quite
> well
> > in-line with what we do for SSL... as in, we have 'hostssl', we don't
> > say 'hostsslenc'. I feel like I'm just not understanding what you
> mean
> > by "not all of them".
>
> Reading the latest patch, I think this is still a bit confusing.
> Consider an entry like
>
> hostgss all all 0.0.0.0/0
> <http://0.0.0.0/0> gss
>
> The "hostgss" part means, the connection is GSS-*encrypted*. The "gss"
> entry in the last column means use gss for *authentication*. But didn't
> "hostgss" already imply that? No. I understand what's going on, but it
> seems quite confusing. They both just say "gss"; you have to know a lot
> about the nuances of pg_hba.conf processing to get that.
>
> If you have line like
>
> hostgss all all 0.0.0.0/0
> <http://0.0.0.0/0> md5
>
> it is not obvious that this means, if GSS-encrypted, use md5. It could
> just as well mean, if GSS-authenticated, use md5.
>
> The analogy with SSL is such that we use "hostssl" for connections using
> SSL encryption and "cert" for the authentication method. So there we
> use two different words for two different aspects of SSL.
>
>
> I don’t view it as confusing, but I’ll change it to hostgssenc as was
> suggested earlier to address that concern. It’s a bit wordy but if it
> helps reduce confusion then that’s a good thing.
Personally I don't find it as confusing as is either, and I find hostgss
to be a good analog of hostssl. On the other hand hostgssenc is long and
unintuitive. So +1 for leaving as is and -1 one for changing it IMHO.
I think for those who are well versed in pg_hba (and maybe gss as well), it's not confusing. That includes me.
However, for a new user, I can definitely see how it can be considered confusing. And confusion in *security configuration* is always a bad idea, even if it's just potential.
Thus +1 on changing it.
If it was on the table it might have been better to keep hostgss and change the authentication method to gssauth or something, but that ship sailed *years* ago.
В списке pgsql-hackers по дате отправления:
Следующее
От: Michael PaquierДата:
Сообщение: Simplify redability of some tests for toast_tuple_target instrings.sql