On Wed, Dec 06, 2023 at 10:57:15PM -0500, Tom Lane wrote: > The immediate reason for dropping that support is that Heimdal doesn't > have gss_store_cred_into(), without which we can't support delegated > credentials. AFAICT, Apple's version doesn't have that either. > We could argue about how important that feature is and whether it'd be > okay to have an Apple-only build option to not have it. However...
Ok I took a look as I was wondering why even bother calling gss_store_cred_into() or any flavor of gss_store_cred*() in postgres. I see that you always store delegated credentials into a MEMORY: cache, but... do you ever use the delegated credentials? Yes, possibly through postgres_fdw, as that uses libpq, and libpq is the only place that calls gss_init_sec_context(). (Makes me wonder though how that's going to work with OAuth w/ JWT. Perhaps postgres_fdw should use local credentials rather than those delegated by the client, but then... which credentials? That could be configurable by database, I suppose.) If, however, you kept the gss_cred_id_t deleg. cred. handle output by gss_accept_sec_context() then you could use those outright and not need to store the creds. In other words: you may not need gss_store_cred_into(). Also, if you set KRB5CCNAME=MEMORY: _before_ storing the delegated credentials then gss_store_cred() is good enough and you don't need gss_store_cred_into() or gss_store_cred_into2(). ASIDE: To use delegated credentials means: a) you would pass them (without having to "store" them) to gss_init_sec_context() to impersonate the initiator principal to some other service, and/or b) you would use gss_store_cred()/ gss_store_cred_into() / gss_store_cred_into2() to store the crendentials into a ccache of type FILE:, DIR:, API:, or KCM: and then spawn (fork/exec, posix_spawn()) a process that would use it, or send the name of that ccache to a process that would use it, where "use it" means to call gss_init_sec_context() using that ccache (or a credential handle acquired from that ccache with gss_acquire_cred_from()). Since you're using a MEMORY: ccache we can safely assume that letting another process access it is not the use-case for storing deleg. creds., as only fork() progeny that don't exec can access the same MEMORY: ccache: Nico --
