Re: SYSTEM_USER reserved word implementation
| От | Drouvot, Bertrand |
|---|---|
| Тема | Re: SYSTEM_USER reserved word implementation |
| Дата | |
| Msg-id | 40b4e4d0-d034-ea19-3ec3-1557f498770f@amazon.com обсуждение исходный текст |
| Ответ на | Re: SYSTEM_USER reserved word implementation ("Drouvot, Bertrand" <bdrouvot@amazon.com>) |
| Ответы |
Re: SYSTEM_USER reserved word implementation
|
| Список | pgsql-hackers |
Hi,
On 8/24/22 8:26 PM, Drouvot, Bertrand wrote:
> Hi,
>
> On 8/24/22 6:27 AM, Michael Paquier wrote:
>> On Wed, Aug 17, 2022 at 04:48:42PM +0200, Drouvot, Bertrand wrote:
>>> That way one could test the SYSTEM_USER behavior without the need to
>>> have
>>> kerberos enabled.
>> I was looking at this patch
>
> Thanks for looking at it!
>
>> and noticed that SYSTEM_USER returns a
>> "name", meaning that the value would be automatically truncated at 63
>> characters. We shouldn't imply that as authn_ids can be longer than
>> that, and this issue gets a bit worse once with the auth_method
>> appended to the string.
>
> Good catch! I'll fix that in the next version.
>
> Hmm, I think it would make sense to keep system_user() with his
> friends current_user() and session_user().
>
> But now that system_user() will not return a name anymore (but a
> text), I think name.c is no longer the right place, what do you think?
> (If so, where would you suggest?)
system_user() now returns a text and I moved it to miscinit.c in the new
version attached (I think it makes more sense now).
>
>>
>> +if (!$use_unix_sockets)
>> +{
>> + plan skip_all =>
>> + "authentication tests cannot run without Unix-domain sockets";
>> +}
>>
>> Are you sure that !$use_unix_sockets is safe here? Could we have
>> platforms where we use our port's getpeereid() with $use_unix_sockets
>> works? That would cause the test to fail with ENOSYS. Hmm. Without
>> being able to rely on HAVE_GETPEEREID, we could check for the error
>> generated when the fallback implementation does not work, and skip the
>> rest of the test.
>
> Oh right, I did not think about that, thanks for the suggestion.
>
> I'll change this in the next version and simply skip the rest of the
> test in case we get "peer authentication is not supported on this
> platform".
>
New version attached is also addressing Michael's remark regarding the
peer authentication TAP test.
Regards,
--
Bertrand Drouvot
Amazon Web Services: https://aws.amazon.com
Вложения
В списке pgsql-hackers по дате отправления: