Обсуждение: pg16 && GSSAPI && Heimdal/Macos
Earlier this year, there was a thread about GSSAPI for delegated credentials and various operating systems ultimately that Heimdal had atrophied enough that you were comfortable not supporting it anymore as a GSSAPI library. Thread: https://www.postgresql.org/message-id/flat/ZDFTailRZzyGdbXl%40tamriel.snowman.net#7b4b7354bc3ea060fb26d51565f0ad67 In https://www.postgresql.org/message-id/3598083.1680976022%40sss.pgh.pa.us, Tom Lane said: > I share your feeling that we could probably blow off Apple's built-in > GSSAPI. MacPorts offers both Heimdal and kerberos5, and I imagine > Homebrew has at least one of them, so Mac people could easily get > hold of newer implementations. I wanted to follow up on the decision to blow off Apple's built-in GSSAPI. Years back, for reasons I never found, Apple switched from MIT to Heimdal and have been maintaining their own version of it. I'm not clear how well they maintain it but they have enhanced it. One of the things that Apple put it in was a different centralized credentials cache system. (named of the form "API:uuid"). This isn't in Heimdal nor is it in MIT, so typical kerberos tickets issued by the Apple provide Kerberos libraries are not accessible via other kerberos versions provided by homebrew/macports/etc. (netbsd pkgsrc on macos can be told to use the system libraries, which is what I do). Installing a parallel version makes the client experience awful since it means having to manage two sets of tickets and ticket caches, and which one gets used varies depending on what libraries they were linked against. As you may have surmised, I use a mac as a client and use gssapi pretty heavily to interact with numerous postgresql databases. This has stopped me from upgrading my client side to 16. I'm wondering if there's be any willingness to reconsider heimdal support under some circumstances? thanks, -Todd
kovert@omniscient.com writes: > Earlier this year, there was a thread about GSSAPI for delegated > credentials and various operating systems ultimately that Heimdal had > atrophied enough that you were comfortable not supporting it anymore as > a GSSAPI library. Yup. > As you may have surmised, I use a mac as a client and use gssapi pretty > heavily to interact with numerous postgresql databases. This has stopped > me from upgrading my client side to 16. I'm wondering if there's be any > willingness to reconsider heimdal support under some circumstances? The immediate reason for dropping that support is that Heimdal doesn't have gss_store_cred_into(), without which we can't support delegated credentials. AFAICT, Apple's version doesn't have that either. We could argue about how important that feature is and whether it'd be okay to have an Apple-only build option to not have it. However... ... there's another good reason to shy away from relying on Apple's library, which is that they've conspicuously marked all the standard Kerberos functions as deprecated. It's not clear if that means they're planning to remove them outright, but surely it's an indicator that Apple doesn't want outside code calling them. The deprecation notices that you get if you try to build anyway say "use GSS.framework". So if somebody wanted to try to support this in a somewhat future-proof way, the thing to do would be to look into how invasive it'd be to do it like that. That's not something I plan to put any effort into, but if you're desperate enough for this, maybe you could push that forward. regards, tom lane