1
0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00

Revert "Add support for Kerberos credential delegation"

This reverts commit 3d4fa227bc.

Per discussion and buildfarm, this depends on APIs that seem to not
be available on at least one platform (NetBSD).  Should be certainly
possible to rework to be optional on that platform if necessary but bit
late for that at this point.

Discussion: https://postgr.es/m/3286097.1680922218@sss.pgh.pa.us
This commit is contained in:
Stephen Frost
2023-04-08 07:21:35 -04:00
parent db4f21e4a3
commit 3d03b24c35
36 changed files with 138 additions and 757 deletions

View File

@ -1190,23 +1190,6 @@ include_dir 'conf.d'
</listitem>
</varlistentry>
<varlistentry id="guc-gss-accept-deleg" xreflabel="gss_accept_deleg">
<term><varname>gss_accept_deleg</varname> (<type>boolean</type>)
<indexterm>
<primary><varname>gss_accept_deleg</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
Sets whether GSSAPI delegation should be accepted from the client.
The default is <literal>off</literal> meaning credentials from the client will
NOT be accepted. Changing this to <literal>on</literal> will make the server
accept credentials delegated to it from the client. This parameter can only be
set in the <filename>postgresql.conf</filename> file or on the server command line.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
<term><varname>db_user_namespace</varname> (<type>boolean</type>)
<indexterm>

View File

@ -117,9 +117,8 @@ dblink_connect(text connname, text connstr) returns text
<para>
Only superusers may use <function>dblink_connect</function> to create
non-password-authenticated and non-GSSAPI-authenticated connections.
If non-superusers need this capability, use
<function>dblink_connect_u</function> instead.
non-password-authenticated connections. If non-superusers need this
capability, use <function>dblink_connect_u</function> instead.
</para>
<para>

View File

@ -2054,18 +2054,6 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
</listitem>
</varlistentry>
<varlistentry id="libpq-connect-gssdeleg" xreflabel="gssdeleg">
<term><literal>gssdeleg</literal></term>
<listitem>
<para>
Forward (delegate) GSS credentials to the server. The default is
<literal>disable</literal> which means credentials will not be forwarded
to the server. Set this to <literal>enable</literal> to have
credentials forwarded when possible.
</para>
</listitem>
</varlistentry>
<varlistentry id="libpq-connect-service" xreflabel="service">
<term><literal>service</literal></term>
<listitem>
@ -2727,25 +2715,6 @@ int PQconnectionUsedPassword(const PGconn *conn);
</para>
</listitem>
</varlistentry>
<varlistentry id="libpq-PQconnectionUsedGSSAPI">
<term><function>PQconnectionUsedGSSAPI</function><indexterm><primary>PQconnectionUsedGSSAPI</primary></indexterm></term>
<listitem>
<para>
Returns true (1) if the connection authentication method
used GSSAPI. Returns false (0) if not.
<synopsis>
int PQconnectionUsedGSSAPI(const PGconn *conn);
</synopsis>
</para>
<para>
This function can be applied to detect whether the connection was
authenticated with GSSAPI.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
@ -8268,16 +8237,6 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
</para>
</listitem>
<listitem>
<para>
<indexterm>
<primary><envar>PGGSSDELEG</envar></primary>
</indexterm>
<envar>PGGSSDELEG</envar> behaves the same as the <xref
linkend="libpq-connect-gssdeleg"/> connection parameter.
</para>
</listitem>
<listitem>
<para>
<indexterm>

View File

@ -3573,15 +3573,6 @@ SELECT pid, wait_event_type, wait_event FROM pg_stat_activity WHERE wait_event i
True if GSSAPI encryption is in use on this connection
</para></entry>
</row>
<row>
<entry role="catalog_table_entry"><para role="column_definition">
<structfield>credentials_delegated</structfield> <type>boolean</type>
</para>
<para>
True if GSSAPI credentials were delegated on this connection.
</para></entry>
</row>
</tbody>
</tgroup>
</table>

View File

@ -169,10 +169,9 @@
<literal>sslcert</literal> or <literal>sslkey</literal> settings.
</para>
<para>
Non-superusers may connect to foreign servers using password
authentication or with GSSAPI delegated credentials, so specify the
<literal>password</literal> option for user mappings belonging to
non-superusers where password authentication is required.
Only superusers may connect to foreign servers without password
authentication, so always specify the <literal>password</literal> option
for user mappings belonging to non-superusers.
</para>
<para>
A superuser may override this check on a per-user-mapping basis by setting