Thanks Bharath for your comments. On Wed, Oct 28, 2020 at 9:48 AM Bharath Rupireddy <bharath.rupireddyforpostg...@gmail.com> wrote: > > On Wed, Oct 28, 2020 at 8:29 AM vignesh C <vignes...@gmail.com> wrote: > > > > Log message for GSS connection is missing once connection > > authorization is successful. We have similar log messages for SSL > > connections once the connection authorization is successful. This > > message will help the user to identify the connection that was > > selected from the logfile. I'm not sure if this log message was > > intentionally left out due to some reason for GSS. > > If the above analysis looks correct, then please find a patch that > > adds log for gss connections. > > > > Thoughts? > > > > +1 for the idea. This is useful in knowing whether or not the user is > authenticated using GSS APIs. > > Here are few comments on the patch: > > 1. How about using(like below) #ifdef, #elif ... #endif directives > instead of #ifdef, #endif, #ifdef, #endif? > > #ifdef USE_SSL > blah,blah,blah... > #elif defined(ENABLE_GSS) > blah,blah,blah... > #else > blah,blah,blah... > #endif >
I preferred the way it is in the patch to maintain the similar style that is used in other places like fe-connect.c. > 2. I think we must use be_gssapi_get_auth(port) instead of > be_gssapi_get_enc(port) in the if condition, because we log for gss > authentications irrespective of encoding is enabled or not. Put it > another way, maybe gss authentications are possible without > encoding[1]. We can have the information whether the encryption is > enabled or not in the log message, be_gssapi_get_enc(port) ? _("on") : > _("off"),. > #ifdef ENABLE_GSS > if (be_gssapi_get_enc(port)) > ereport(LOG, > > We do not need be_gssapi_get_auth(port) ? _("on") : _("off") this in > the log message, only in the if condition we need this check. > > [1] By looking at the below code it seems that gss authentication > without encryption is possible. > #ifdef ENABLE_GSS > port->gss->auth = true; > if (port->gss->enc) > status = pg_GSS_checkauth(port); > else > { > sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0); > status = pg_GSS_recvauth(port); > } Stephen also shared his thoughts for the above changes, I have provided an updated patch for the same in the previous mail. Please have a look and let me know if you have any comments. Regards, Vignesh EnterpriseDB: http://www.enterprisedb.com