Обсуждение: Krb5 & multiple DB connections
Greetings, I've just run smack-dab into the bug described here: http://archives.postgresql.org/pgsql-interfaces/2002-05/msg00083.php and it's somewhat frustrating since the end of that thread is a reasonably small patch which fixes the problem: http://archives.postgresql.org/pgsql-interfaces/2002-05/msg00083.php Or did for that user anyway but it sure looks like it's solve my problem as well (which is also a case of using mod_auth_krb5, etc, though it breaks even for the same user since apache now, correctly, deletes and recreates the cache with a different filename for each connection). I realize it's not entirely fair (given that it was years ago) to ask this, but, anyone happen to know why the patch wasn't accepted? It almost patched cleanly against current HEAD even. I went ahead and made the few changes by hand that didn't apply cleanly and it compiled just fine; attached patch is against current HEAD and should apply cleanly. I'd really love to get this fixed. Thanks (off to go implement Tom's suggestion for pg_restore :)! Stephen
Вложения
* Stephen Frost (sfrost@snowman.net) wrote: > and it's somewhat frustrating since the end of that thread is a > reasonably small patch which fixes the problem: > > http://archives.postgresql.org/pgsql-interfaces/2002-05/msg00083.php Erp, not quite sure how I managed that, the end of the thread is *here*: http://archives.postgresql.org/pgsql-interfaces/2002-05/msg00090.php Sorry about that. Stephen
Greetings, I am writing some plugin for pq. After running ./configure and make, shall I just go to /src/bin/psql to execute my executable psql -U (usrname) dbname? It seems that my updates in the file parse_expr.c is not reflect in this executable? For example, I changed one line from if (NULL == tup) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("key value not found"))); --> if (NULL == tup) ereport(ERROR, (errcode(ERRCODE_UNDEFINED_OBJECT), errmsg("key value not found while building relation"))); But the program still reports key value not found when it runs. Best wishes, John
John wrote: > I am writing some plugin for pq. After running ./configure and make, > shall I just go to /src/bin/psql to execute my executable psql -U > (usrname) dbname? It seems that my updates in the file parse_expr.c > is not reflect in this executable? Evidently you're not (only) writing a plugin but changing the source code. In that case, follow the normal installation instructions. -- Peter Eisentraut http://developer.postgresql.org/~petere/
Greetings, * Stephen Frost (sfrost@snowman.net) wrote: > I realize it's not entirely fair (given that it was years ago) to ask > this, but, anyone happen to know why the patch wasn't accepted? It > almost patched cleanly against current HEAD even. I went ahead and > made the few changes by hand that didn't apply cleanly and it compiled > just fine; attached patch is against current HEAD and should apply > cleanly. I've now tested this patch at home w/ 8.2HEAD and it seems to fix the bug. I plan on testing it under 8.1.2 at work tommorowwith mod_auth_krb5, etc, and expect it'll work there. Assuming all goes well and unless someone objects I'll forwardthe patch to -patches. It'd be great to have this fixed as it'll allow us to use Kerberos to authenticate to phppgadminand other web-based tools which use Postgres. Thanks! Stephen
Greetings, * Stephen Frost (sfrost@snowman.net) wrote: > I've now tested this patch at home w/ 8.2HEAD and it seems to fix the > bug. I plan on testing it under 8.1.2 at work tommorow with > mod_auth_krb5, etc, and expect it'll work there. Assuming all goes > well and unless someone objects I'll forward the patch to -patches. > It'd be great to have this fixed as it'll allow us to use Kerberos to > authenticate to phppgadmin and other web-based tools which use > Postgres. While playing with this patch under 8.1.2 at home I discovered a mistake in how I manually applied one of the hunks to fe-auth.c. Basically, the base code had changed and so the patch needed to be modified slightly. This is because the code no longer either has a freeable pointer under 'name' or has 'name' as NULL. The attached patch correctly frees the string from pg_krb5_authname (where it had been strdup'd) if and only if pg_krb5_authname returned a string (as opposed to falling through and having name be set using name = pw->name;). Also added a comment to this effect. Please review. Thanks, Stephen
Вложения
Your patch has been added to the PostgreSQL unapplied patches list at: http://momjian.postgresql.org/cgi-bin/pgpatches It will be applied as soon as one of the PostgreSQL committers reviews and approves it. --------------------------------------------------------------------------- Stephen Frost wrote: > Greetings, > > * Stephen Frost (sfrost@snowman.net) wrote: > > I've now tested this patch at home w/ 8.2HEAD and it seems to fix the > > bug. I plan on testing it under 8.1.2 at work tommorow with > > mod_auth_krb5, etc, and expect it'll work there. Assuming all goes > > well and unless someone objects I'll forward the patch to -patches. > > It'd be great to have this fixed as it'll allow us to use Kerberos to > > authenticate to phppgadmin and other web-based tools which use > > Postgres. > > While playing with this patch under 8.1.2 at home I discovered a > mistake in how I manually applied one of the hunks to fe-auth.c. > Basically, the base code had changed and so the patch needed to be > modified slightly. This is because the code no longer either has a > freeable pointer under 'name' or has 'name' as NULL. > > The attached patch correctly frees the string from pg_krb5_authname > (where it had been strdup'd) if and only if pg_krb5_authname returned > a string (as opposed to falling through and having name be set using > name = pw->name;). Also added a comment to this effect. > Please review. > > Thanks, > > Stephen [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 6: explain analyze is your friend -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073
Is this something we need for 8.1.X? --------------------------------------------------------------------------- Bruce Momjian wrote: > > Your patch has been added to the PostgreSQL unapplied patches list at: > > http://momjian.postgresql.org/cgi-bin/pgpatches > > It will be applied as soon as one of the PostgreSQL committers reviews > and approves it. > > --------------------------------------------------------------------------- > > > Stephen Frost wrote: > > Greetings, > > > > * Stephen Frost (sfrost@snowman.net) wrote: > > > I've now tested this patch at home w/ 8.2HEAD and it seems to fix the > > > bug. I plan on testing it under 8.1.2 at work tommorow with > > > mod_auth_krb5, etc, and expect it'll work there. Assuming all goes > > > well and unless someone objects I'll forward the patch to -patches. > > > It'd be great to have this fixed as it'll allow us to use Kerberos to > > > authenticate to phppgadmin and other web-based tools which use > > > Postgres. > > > > While playing with this patch under 8.1.2 at home I discovered a > > mistake in how I manually applied one of the hunks to fe-auth.c. > > Basically, the base code had changed and so the patch needed to be > > modified slightly. This is because the code no longer either has a > > freeable pointer under 'name' or has 'name' as NULL. > > > > The attached patch correctly frees the string from pg_krb5_authname > > (where it had been strdup'd) if and only if pg_krb5_authname returned > > a string (as opposed to falling through and having name be set using > > name = pw->name;). Also added a comment to this effect. > > Please review. > > > > Thanks, > > > > Stephen > > [ Attachment, skipping... ] > > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 6: explain analyze is your friend > > -- > Bruce Momjian | http://candle.pha.pa.us > pgman@candle.pha.pa.us | (610) 359-1001 > + If your life is a hard drive, | 13 Roberts Road > + Christ can be your backup. | Newtown Square, Pennsylvania 19073 > > ---------------------------(end of broadcast)--------------------------- > TIP 9: In versions below 8.0, the planner will ignore your desire to > choose an index scan if your joining column's datatypes do not > match > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073
* Bruce Momjian (pgman@candle.pha.pa.us) wrote: > Is this something we need for 8.1.X? Personally, I think it's a bug which should be fixed. I don't think everyone agrees on that though and there are some parts which could be a bit controversial. The main issue is that now the entire Kerberos context is recreated on each connection. Now, it's really not all that expensive generally but I can understand the preference to just reopen the ccache when it changes. I tried to do that by just free'ing and redo'ing the parts having to do w/ the ccache but it didn't quite pan out right and I havn't figured out what I did wrong yet. The other approach would be to actually track the cache name and check if it changes. That's more difficult to do correctly across platforms though I think. Thanks, Stephen
Then the patch safest for just 8.2 then. --------------------------------------------------------------------------- Stephen Frost wrote: -- Start of PGP signed section. > * Bruce Momjian (pgman@candle.pha.pa.us) wrote: > > Is this something we need for 8.1.X? > > Personally, I think it's a bug which should be fixed. I don't think > everyone agrees on that though and there are some parts which could be a > bit controversial. The main issue is that now the entire Kerberos > context is recreated on each connection. Now, it's really not all that > expensive generally but I can understand the preference to just reopen > the ccache when it changes. I tried to do that by just free'ing and > redo'ing the parts having to do w/ the ccache but it didn't quite pan > out right and I havn't figured out what I did wrong yet. The other > approach would be to actually track the cache name and check if it > changes. That's more difficult to do correctly across platforms though > I think. > > Thanks, > > Stephen -- End of PGP section, PGP failed! -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073
* Bruce Momjian (pgman@candle.pha.pa.us) wrote: > Then the patch safest for just 8.2 then. My hope is to come up with a better patch which will be acceptable for both 8.1.x and 8.2.. I'll try and come up with something this week. I don't think it's a huge issue if it's not in 8.1.3 tho. Thanks, Stephen
Patch applied. Thanks. Backpatched to 8.1.X. --------------------------------------------------------------------------- Stephen Frost wrote: > Greetings, > > * Stephen Frost (sfrost@snowman.net) wrote: > > I've now tested this patch at home w/ 8.2HEAD and it seems to fix the > > bug. I plan on testing it under 8.1.2 at work tommorow with > > mod_auth_krb5, etc, and expect it'll work there. Assuming all goes > > well and unless someone objects I'll forward the patch to -patches. > > It'd be great to have this fixed as it'll allow us to use Kerberos to > > authenticate to phppgadmin and other web-based tools which use > > Postgres. > > While playing with this patch under 8.1.2 at home I discovered a > mistake in how I manually applied one of the hunks to fe-auth.c. > Basically, the base code had changed and so the patch needed to be > modified slightly. This is because the code no longer either has a > freeable pointer under 'name' or has 'name' as NULL. > > The attached patch correctly frees the string from pg_krb5_authname > (where it had been strdup'd) if and only if pg_krb5_authname returned > a string (as opposed to falling through and having name be set using > name = pw->name;). Also added a comment to this effect. > Please review. > > Thanks, > > Stephen [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 6: explain analyze is your friend -- Bruce Momjian http://candle.pha.pa.us SRA OSS, Inc. http://www.sraoss.com + If your life is a hard drive, Christ can be your backup. +