Fixing cache pollution in the Kerberos test suite

Mon, 25 Jan 2021 10:33:41 -0800 

Hi all,

I was running tests with a GSS-enabled stack, and ran into some very
long psql timeouts after running the Kerberos test suite. It turns out
the suite pushes test credentials into the user's global cache, and
these no-longer-useful credentials persist after the suite has
finished. (You can see this in action by running the test/kerberos
suite and then running `klist`.) This leads to long hangs, I assume
while the GSS implementation tries to contact a KDC that no longer
exists.
Attached is a patch that initializes a local credentials cache inside
tmp_check/krb5cc, and tells psql to use it via the KRB5CCNAME envvar.
This prevents the global cache pollution. WDYT?

--Jacob

From c9532e72a762abeef0996ad8df5da9bbdedbccad Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchamp...@vmware.com>
Date: Mon, 25 Jan 2021 09:32:44 -0800
Subject: [PATCH] test/kerberos: use a local credentials cache

Previously, the Kerberos test suite pushed credentials into the user's
default credentials cache. This modified any credentials the user
already had, and could cause other psql invocations to misbehave later,
as the GSS implementation attempted to use the globally cached test
credentials.

Use a local credentials cache at tmp_check/krb5cc instead. Clients can
be directed to use this cache via the KRB5CCNAME environment variable.
---
 src/test/kerberos/t/001_auth.pl | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index 8625059149..d329cb06e3 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -75,6 +75,10 @@ my $kdc_datadir = "${TestLib::tmp_check}/krb5kdc";
 my $kdc_pidfile = "${TestLib::tmp_check}/krb5kdc.pid";
 my $keytab      = "${TestLib::tmp_check}/krb5.keytab";
 
+# Avoid polluting the global credentials cache by creating our own and pointing
+# psql to it later using KRB5CCNAME.
+my $krb5_cache  = "${TestLib::tmp_check}/krb5cc";
+
 my $dbname = 'postgres';
 my $username = 'test1';
 my $application = '001_auth.pl';
@@ -185,6 +189,9 @@ sub test_access
 {
 	my ($node, $role, $query, $expected_res, $gssencmode, $test_name, $expect_log_msg) = @_;
 
+	# Use our local credentials cache.
+	local $ENV{KRB5CCNAME} = $krb5_cache;
+
 	# need to connect over TCP/IP for Kerberos
 	my ($res, $stdoutres, $stderrres) = $node->psql(
 		'postgres',
@@ -241,6 +248,9 @@ sub test_query
 {
 	my ($node, $role, $query, $expected, $gssencmode, $test_name) = @_;
 
+	# Use our local credentials cache.
+	local $ENV{KRB5CCNAME} = $krb5_cache;
+
 	# need to connect over TCP/IP for Kerberos
 	my ($res, $stdoutres, $stderrres) = $node->psql(
 		'postgres',
@@ -270,7 +280,7 @@ test_access($node, 'test1', 'SELECT true', 2, '',
 	'does not log unauthenticated principal',
 	"(test1:[unknown]) FATAL:  GSSAPI authentication failed");
 
-run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?);
+run_log [ $kinit, '-c', $krb5_cache, 'test1' ], \$test1_password or BAIL_OUT($?);
 
 test_access($node, 'test1', 'SELECT true', 2, '', 'fails without mapping', '');
 
-- 
2.25.1

Reply via email to