On 30 November 2014 at 15:02, Noah Misch <n...@leadboat.com> wrote:

> On Sun, Sep 21, 2014 at 02:31:15AM -0400, Noah Misch wrote:
> > It then dawned on me that every Windows build of PostgreSQL already has
> a way
> > to limit connections to a particular OS user.  SSPI authentication is
> > essentially the Windows equivalent of peer authentication.  A brief trial
> > thereof looked promising.  Regression runs will need a pg_ident.conf
> listing
> > each role used in the regression tests.  That's not ideal, but the
> buildfarm
> > will quickly reveal any omissions.  Unless someone sees a problem here,
> I will
> > look at fleshing this out into a complete patch.  I bet it will even
> turn out
> > to be back-patchable.
> That worked out nicely.  "pg_regress --temp-install" rewrites pg_ident.conf
> and pg_hba.conf such that the current OS user may authenticate as the
> bootstrap superuser and as any user named in --create-role.  Suites not
> using
> --temp-install (pg_upgrade, TAP) call "pg_regress --config-auth=DATADIR" to
> pick up those same configuration changes.  My hope is that out-of-tree test
> harnesses wanting this hardening can do likewise.  On non-Windows systems,
> "pg_regress --config-auth" does nothing.
f6dc6dd seems to have broken vcregress check for me:

D:\Postgres\a\src\tools\msvc>vcregress check
============== removing existing temp installation    ==============
============== creating temporary installation        ==============
============== initializing database system           ==============
============== starting postmaster                    ==============

pg_regress: postmaster did not respond within 60 seconds
Examine D:/Postgres/a/src/test/regress/log/postmaster.log for the reason

The postmaster.log reads:

LOG:  database system was shut down at 2014-12-25 15:26:33 NZDT
LOG:  database system is ready to accept connections
LOG:  autovacuum launcher started
FATAL:  no pg_hba.conf entry for host "::1", user "David", database
FATAL:  no pg_hba.conf entry for host "::1", user "David", database

Having a look at the pg_hba.conf that's been generated by pgregress, it
looks like it only adds a line for IPv4 addresses.

I'll admit that I don't have a great understanding of what the SSPI stuff
is about, but at least the attached patch seems to fix the problem for me.


David Rowley
diff --git a/src/test/regress/pg_regress.c b/src/test/regress/pg_regress.c
index cb092f9..e2adaca 100644
--- a/src/test/regress/pg_regress.c
+++ b/src/test/regress/pg_regress.c
@@ -1085,6 +1085,8 @@ config_sspi_auth(const char *pgdata)
        CW(fputs("# Configuration written by config_sspi_auth()\n", hba) >= 0);
        CW(fputs("host all all  sspi include_realm=1 
                         hba) >= 0);
+       CW(fputs("host all all ::1/128  sspi include_realm=1 map=regress\n",
+                        hba) >= 0);
        CW(fclose(hba) == 0);
        snprintf(fname, sizeof(fname), "%s/pg_ident.conf", pgdata);
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to