Re: [HACKERS] Built-in plugin for logical decoding output

, Henry On Tue, Sep 26, 2017 at 9:37 AM Alvaro Hernandez <a...@ongres.com> wrote: > > > On 26/09/17 17:50, Craig Ringer wrote: > > On 26 September 2017 at 22:14, Magnus Hagander <mag...@hagander.net> > wrote: > >> >> >> On Tue, Sep 26, 2017 a

Re: [HACKERS] [RFC] What would be difficult to make data models pluggable for making PostgreSQL a multi-model database?

if there are any rough design/plans for this... https://wiki.postgresql.org/wiki/Fujitsu_roadmap#Multi-model_database - *graph: Natively support graph data model. Implement Cypher and/or Gremlin as the query language through UDFs.* Thank you, Henry On Sun, Sep 3, 2017 at 1:14 PM MauMau

Re: [HACKERS] [RFC] What would be difficult to make data models pluggable for making PostgreSQL a multi-model database?

This may be interesting... they implement cypher (unfortunately they had to fork in order to have cypher be a first class query language with SQL). https://github.com/bitnine-oss/agensgraph On Mon, Aug 21, 2017 at 12:44 AM Chris Travers wrote: > On Sun, Aug 20, 2017

Re: [HACKERS] SSL renegotiation

Renegotiation should be a best practice. Trouble is it's been broken (at the protocol level) three times in the last few years so it's a massive hole in practice. Ideally we should leave the renegotiate in, and only remove it if configure detects a broken version of TLS. Personal email.

Re: [HACKERS] reducing our reliance on MD5

SASL was done by many of the same people who did GSSAPI. It's main practical advantages are that it supports password-based mechanisms (in addition to GSSAPI/krb5), and that it’s more explicitly pluggable than GSSAPI is. The password mechanism is simple enough that it's frequently implemented

Re: [HACKERS] Plans for 8.4

On Jul 31, 2008, at 7:58 AM, Magnus Hagander wrote: Stephen Frost wrote: * Henry B. Hotz ([EMAIL PROTECTED]) wrote: I'm making no promises, but what would people think of a hostgss hba option? As described, sounds like a win to me. It'd be very nice to be able to just use GSSAPI

Re: [HACKERS] Plans for 8.4

What's the time frame for 8.4? I'm making no promises, but what would people think of a hostgss hba option? Using it would imply the gssapi/sspi authentication option. It would be mutually exclusive of the ssl link-encryption option. It would support strong encryption of the whole

Re: [HACKERS] 8.3 GSS Issues

On Oct 27, 2007, at 1:36 AM, Magnus Hagander wrote: If this isn't fixed then PG will never be a supported infrastructure service at JPL the way MySQL currently is. I had hoped to use the GSSAPI support as a feature to pry some people away from MySQL, but without the ability to integrate into

Re: [HACKERS] 8.3 GSS Issues

On Oct 26, 2007, at 12:56 AM, Magnus Hagander wrote: On Thu, Oct 25, 2007 at 05:39:37PM -0700, Henry B. Hotz wrote: On Oct 25, 2007, at 3:27 PM, Stephen Frost wrote: * Henry B. Hotz ([EMAIL PROTECTED]) wrote: What you're asking for is basically a krb_match_realm parameter, or do I

Re: [HACKERS] 8.3 GSS Issues

On Oct 25, 2007, at 10:22 AM, Tom Lane wrote: Magnus Hagander [EMAIL PROTECTED] writes: On Fri, Oct 19, 2007 at 04:51:04PM -0700, Henry B. Hotz wrote: There's no way to specify the gssapi library to use. I have three on my main development Sun: MIT, Sun, and Heimdal. I might have more

Re: [HACKERS] 8.3 GSS Issues

On Oct 25, 2007, at 1:47 AM, Magnus Hagander wrote: On Fri, Oct 19, 2007 at 04:51:04PM -0700, Henry B. Hotz wrote: I know I haven't been very active for a while here, but I just got to testing the October 3 version a bit prior to getting back to the Java GSS client stuff I promised

Re: [HACKERS] 8.3 GSS Issues

On Oct 25, 2007, at 3:27 PM, Stephen Frost wrote: * Henry B. Hotz ([EMAIL PROTECTED]) wrote: What the krb5 method does is IMO a documented bug. The realm name is part of the name. As I explained at some length you cannot assume the username (first component of the principal) has any

[HACKERS] 8.3 GSS Issues

I know I haven't been very active for a while here, but I just got to testing the October 3 version a bit prior to getting back to the Java GSS client stuff I promised. There seem to be some funny things there. The only serious issue is that the server doesn't require the realm name to

Re: [HACKERS] GSSAPI patch

be of course, but the standard defines the protocol), but I'm sure headers and libraries could be in different places and have different names. Actually testing the authentication itself is of course a bonus :-) I've only tested it against Active Directory, but IIRC Henry has used a Unix based

Re: [HACKERS] Fwd: [PATCHES] Preliminary GSSAPI Patches

On May 2, 2007, at 3:11 AM, Magnus Hagander wrote: As to the question of GSSAPI vs SSL, I would never argue we don't want both. Part of what made the GSSAPI encryption mods difficult was my intent to insert them above the SSL encryption/buffering layer. That way you could double-encrypt the

Re: [HACKERS] Fwd: [PATCHES] Preliminary GSSAPI Patches

On May 1, 2007, at 1:16 AM, Magnus Hagander wrote: Henry B. Hotz wrote: OK, so posted. ;-) snip Would you like a new version of the patch with the incomplete functionality commented out (or otherwise removed)? Yes please :-) I was going to try to do one of those myself, but since you

Re: [HACKERS] Fwd: [PATCHES] Preliminary GSSAPI Patches

On May 1, 2007, at 1:33 PM, Tom Lane wrote: Magnus Hagander [EMAIL PROTECTED] writes: I would call them gss and gss-sec. Or possibly gss-enc. I think that's a lot more clear than gss-np (something ending with -sec is a giveaway) +1 If we settle on gss-np and gss-sec is that a good

Re: [HACKERS] Fwd: [PATCHES] Preliminary GSSAPI Patches

On May 1, 2007, at 2:30 PM, Magnus Hagander wrote: Henry B. Hotz wrote: On May 1, 2007, at 1:33 PM, Tom Lane wrote: Magnus Hagander [EMAIL PROTECTED] writes: I would call them gss and gss-sec. Or possibly gss-enc. I think that's a lot more clear than gss-np (something ending with - sec

Re: [HACKERS] Fwd: [PATCHES] Preliminary GSSAPI Patches

On May 1, 2007, at 1:32 PM, Tom Lane wrote: Stefan Kaltenbrunner [EMAIL PROTECTED] writes: Josh Berkus wrote: For now, yes. In the long run, we want to provide users with other methods of encrypted connections than the rather flaky and not-available-on-every-platform OpenSSL. I'm

Re: [HACKERS] Fwd: [PATCHES] Preliminary GSSAPI Patches

On May 1, 2007, at 3:11 PM, Magnus Hagander wrote: Also, last I checked OpenSSL didn't ship with Windows and Kerberos encryption did. How long ago did you check? I've been using OpenSSL on windows for many years. Actually, it was supported just fine on Windows back when it was added to

[HACKERS] Fwd: [PATCHES] Preliminary GSSAPI Patches

, and they will be using MySQL instead. |-( Given what I've said here, I still feel obligated to provide Java mods, but your timeline will affect mine. Begin forwarded message: From: Bruce Momjian [EMAIL PROTECTED] Date: April 30, 2007 2:22:08 PM PDT To: Henry B. Hotz [EMAIL PROTECTED

Re: [HACKERS] Fwd: [PATCHES] Preliminary GSSAPI Patches

to rip out the existing Kerb5 code. On Apr 30, 2007, at 3:23 PM, Henry B. Hotz wrote: OK, so posted. ;-) To clarify for the larger audience: without the plain gss mechanism, the gss-np mechanism provides exactly the same functionality as the existing krb5 mechanism. It will properly

Re: [HACKERS] Fwd: [PATCHES] Preliminary GSSAPI Patches

that supports the native Kerb5 API that doesn't also support GSSAPI for the simple reason that a Kerberos-only version of GSSAPI has been bundled with both the MIT and Heimdal distributions for as long as I can remember. On Apr 30, 2007, at 4:48 PM, Tom Lane wrote: Henry B. Hotz [EMAIL

Re: [HACKERS] Fwd: [PATCHES] Preliminary GSSAPI Patches

either. On Apr 30, 2007, at 5:56 PM, Tom Lane wrote: Henry B. Hotz [EMAIL PROTECTED] writes: Don't you want to maintain some interoperability between 8.2 client/ server and 8.3 server/client at least? Hm, you mean that what you called a C API change actually break^H^H^H^H^Hchanges

Re: [HACKERS] 5 Weeks till feature freeze or (do you know where your patch is?)

On Feb 23, 2007, at 1:24 PM, Joshua D. Drake wrote: Henry Hotz: GSSAPI (with Magnus) Progressing. Had hoped to have alpha patches by March 1, but I just got handed a proposal that I have to do by then. I trust it's OK to send the first version in next week? No real issues, except I

Re: [HACKERS] [COMMITTERS] pgsql: Update Solaris FAQ.

Would you like a krb5.h file for Solaris 9-10 that will allow you to break into the hidden library? Also S10u4 won't be out until this summer. I'd say the answer is currently no. It's known by Sun that Postgres will compile against their Kerberos libraries though. On Feb 23, 2007, at

Re: [HACKERS] log ssl mode with connections?

Anyone making those kind of decisions probably wants a generic connection is encrypted flag. It could be true if a GSSAPI connection has negotiated use of a security layer. Of course I don't have my GSSAPI patches working as well as the SASL ones were yet, and I haven't started on adding

Re: [HACKERS] 10 weeks to feature freeze (Pending Work)

On Jan 29, 2007, at 9:49 AM, Magnus Hagander wrote: Henry B. Hotz wrote: Henry B. Hotz: GSSAPI authentication method for C (FE/BE) and Java (FE). Magnus Haglander: SSPI (GSSAPI compatible) authentication method for C (FE) on Windows. (That fair Magnus? Or you want to volunteer

Re: [HACKERS] 10 weeks to feature freeze (Pending Work)

places than SASL is. Down side is it doesn't do much that the current Krb5 code doesn't do. Structurally the GSSAPI mods will be very similar to the SASL ones I already did. On Jan 26, 2007, at 7:16 PM, Stephen Frost wrote: * Henry B. Hotz ([EMAIL PROTECTED]) wrote: If anyone

Re: [HACKERS] 10 weeks to feature freeze (Pending Work)

Henry B. Hotz: GSSAPI authentication method for C (FE/BE) and Java (FE). Magnus Haglander: SSPI (GSSAPI compatible) authentication method for C (FE) on Windows. (That fair Magnus? Or you want to volunteer for BE support as well?) GSSAPI isn't much more than a functional replacement

Re: [HACKERS] Design Considerations for New Authentication Methods

On Nov 2, 2006, at 1:18 AM, Magnus Hagander wrote: * Henry B. Hotz ([EMAIL PROTECTED]) wrote: I've been looking at adding SASL or GSSAPI as an auth method. I have some questions about how to handle the flow of control changes. Great! I'd love to see that implemented, personally, so

Re: [HACKERS] Design Considerations for New Authentication Methods

Sorry about the premature send. On Nov 2, 2006, at 1:18 AM, Magnus Hagander wrote: * Henry B. Hotz ([EMAIL PROTECTED]) wrote: I've been looking at adding SASL or GSSAPI as an auth method. I have some questions about how to handle the flow of control changes. Great! I'd love to see

Re: [HACKERS] Design Considerations for New Authentication Methods

On Nov 2, 2006, at 11:04 AM, Martijn van Oosterhout wrote: On Thu, Nov 02, 2006 at 10:45:24AM -0800, Henry B. Hotz wrote: In my case I have good control over the Kerberos infrastructure, but none over the Federal PKI infrastructure. I also want the data channel encryption tied to the client

Re: [HACKERS] Design Considerations for New Authentication Methods

On Nov 2, 2006, at 12:26 PM, Richard Troy wrote: Well, there's simply no need. While I can agree that more could be done, I'm not convinced there's a need because what we have now works fine. Let me support my view by stating first that I perceive that combining the conception of

Re: [HACKERS] Design Considerations for New Authentication Methods

On Oct 31, 2006, at 8:34 PM, Tom Lane wrote: Henry B. Hotz [EMAIL PROTECTED] writes: I notice that all the authentication (pg_fe_sendauth()) is done inside PWConnectPoll(), which sounds like something that isn't expected to block on network access. That's right. Is this behavior important

Re: [HACKERS] Design Considerations for New Authentication Methods

On Nov 1, 2006, at 6:33 AM, Stephen Frost wrote: * Henry B. Hotz ([EMAIL PROTECTED]) wrote: I've been looking at adding SASL or GSSAPI as an auth method. I have some questions about how to handle the flow of control changes. Great! I'd love to see that implemented, personally, so

[HACKERS] Design Considerations for New Authentication Methods

I've been looking at adding SASL or GSSAPI as an auth method. I have some questions about how to handle the flow of control changes. When you do one of the above, an authentication is not (necessarily) a simple one-packet exchange. In fact the exchange may involve trying several

Re: [HACKERS] JAVA Support

On Sep 28, 2006, at 9:35 PM, Tom Lane wrote: Joshua D. Drake [EMAIL PROTECTED] writes: Is there any reason why we haven't built a generic authentication API? Something like PAM, except cross platform? We're database geeks, not security/crypto/authentication geeks. What makes you think we

Re: [HACKERS] JAVA Support

On Sep 29, 2006, at 12:31 AM, Magnus Hagander wrote: However, that doesn't change that some people would like us to support GSSAPI, and there may be some benefit (additional applications, better network authentication, etc.) for doing so. If we can get additional programmers to code the

[HACKERS] JAVA Support

It appears that the JDBC client doesn't include the Kerberos support that the C clients do. So, two questions: 1) Is there an alternative JDBC client that's just a glue layer instead of a complete re-implementation? 2) If I were willing to add a GSSAPI or SASL layer as an alternative to

Re: [HACKERS] JAVA Support

On Sep 28, 2006, at 10:52 AM, Kris Jurka wrote: On Thu, 28 Sep 2006, Henry B. Hotz wrote: It appears that the JDBC client doesn't include the Kerberos support that the C clients do. Java doesn't have accessible Kerberos support. It wraps Kerberos in GSSAPI which requires the server

[HACKERS] Paging Phil Dodderidge

There's an old post from Phil about having GSSAPI support almost working with PostgreSQL. I'd like to ask him about his work, but the email link in the archives doesn't work. The opinions expressed in this message

Re: [HACKERS] JAVA Support

On Sep 28, 2006, at 12:42 PM, Magnus Hagander wrote: 2) If I were willing to add a GSSAPI or SASL layer as an alternative to the bare Krb 5 support would anyone be willing to help with the supporting mods to the pg_hba.conf parsing, and configure? Sure, I can help out with that. I've done a

Re: [HACKERS] JAVA Support

On Sep 28, 2006, at 2:24 PM, Tom Lane wrote: Magnus Hagander [EMAIL PROTECTED] writes: As for the other part - will core accept this - I can't answer that. It would depend in part on the size of the patch, and on whether there are any arguments for supporting GSSAPI besides Java can't do

Re: [HACKERS] JAVA Support

I cc'ed Tom Lockhart because he *used* to be core, and I know where he works. No response expected. On Sep 28, 2006, at 2:11 PM, Magnus Hagander wrote: f) SASL support is available in current Java as well as C. SASL libraries are included (or at least loadable) on MacOS, Solaris 10+, and

Re: [HACKERS] JAVA Support

On Sep 28, 2006, at 3:03 PM, Josh Berkus wrote: Tom, It would depend in part on the size of the patch, and on whether there are any arguments for supporting GSSAPI besides Java can't do Kerberos. What would it buy for a libpq user? According to the Solaris Security engineers, GSSAPI is

Re: [HACKERS] JAVA Support

On Sep 28, 2006, at 3:01 PM, Josh Berkus wrote: Kris, I would if we could get some -hackers buy in on the idea. Adding more and more auth methods is something they're not excited about unless there's a good reason (which I think this is). Actually, I've been trying to get some of the Sun

Re: [HACKERS] Referencing OLD/NEW Rows on Trigger Definition

be appreciated. Henry ---(end of broadcast)--- TIP 8: explain analyze is your friend

[HACKERS] Complex/elaborate user-defined base types

Hi, I am trying to create complex user-defined base types and have some difficulties. I started with the examples (complex, point, path) and I had no problem at all creating similar user-defined types, with fixed or variable length. They perform very good in all my tests (inserts, selects and

Re: [HACKERS] Complex/elaborate user-defined base types

of the de objectTypeOut function), but the type casted getObject() method fails (I tried the type mapping in different ways, but no one seem to work). Thanks in advance for any tip. Jean Jean-Henry Berevoescu wrote: Hi, I am trying to create complex user-defined base types and have some

Re: [HACKERS] Complex/elaborate user-defined base types

out of the de objectTypeOut function), but the type casted getObject() method fails (I tried the type mapping in different ways, but no one seem to work). Thanks in advance for any tip. Jean Jean-Henry Berevoescu wrote: Hi, I am trying to create complex user-defined base types and have some

Re: [HACKERS] [PORTS] [COMMITTERS] pgsql-server/src/template bsdi freebsd

At 10:45 AM -0400 10/9/03, Bruce Momjian wrote: Neil Conway wrote: On Thu, 2003-10-09 at 09:35, Bruce Momjian wrote: I only put back what was already there --- not sure why others don't use it. You want it enabled on Linux? Well, why do we have it enabled at all? If it's to speed

Re: [PORTS] Geometry test on NetBSD (was Re: [HACKERS] RC1?)

At 1:15 AM -0500 11/20/02, Tom Lane wrote: Bruce Momjian [EMAIL PROTECTED] writes: Tom, can you clarify why -0 is valid. The IEEE spec absolutely thinks that -0 and +0 are distinct entities. I don't remember why, at one in the morning ... but if you insist I'm sure that plenty sufficient

Re: [PORTS] Geometry test on NetBSD (was Re: [HACKERS] RC1?)

At 1:51 PM -0500 11/20/02, Tom Lane wrote: Patrick Welche [EMAIL PROTECTED] writes: On Wed, Nov 20, 2002 at 01:21:47PM -0500, Tom Lane wrote: Ah-hah, so it is a version issue --- we could make the resultmap line something like geometry/.*-netbsd1.[0-5]=geometry-positive-zeros

Re: [HACKERS] Re: Call for platforms

At 1:50 AM -0400 4/6/01, Tom Lane wrote: "Henry B. Hotz" [EMAIL PROTECTED] writes: Bottom line: 7.1RC1 passes most of the regression tests on NetBSD/macppc. The only thing that surprised me here was all of the warnings from libreadline calls: tab-complete.c: I

Re: [HACKERS] 7.1 docs

, but the old Makefile is ok. don't know why, if put up there, then you can generate other format without problem. Thanks Regards Laser Henry ---(end of broadcast)--- TIP 6: Have you searched our list archives? http://www.postgresql.org/search.mpl

[HACKERS] Chinese patch for Pgaccess

Hi all: The attachement is the Chinese (GB) patch for PgAccess, don't know if it's correct to post here. It's simple to do the translation, And I've test in 7.0.2 current CVS, seems pretty good. If anyone want this little thing, I'll very happy. use it is very simple, just gunzip it and copy

Re: [HACKERS] Re: [INTERFACES] Re: [GENERAL] Chinese patch for Pgaccess

appropriate. There are several encodings for Chinese including GB(EUC-CN), Big5, EUC-TW. At least we should be able to distinguish them. What about "chinese(GB)" or whatever? Renamed to chinese-gb. I think chinese-gb is ok, thanks! Regards Laser