From a2eb99a01e015a76682911ae3980762f6ee6ac8c Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Sun, 21 May 2023 10:55:18 -0400 Subject: [PATCH] Expand some more uses of "deleg" to "delegation" or "delegated". Complete the task begun in 9c0a0e2ed: we don't want to use the abbreviation "deleg" for GSS delegation in any user-visible places. (For consistency, this also changes most internal uses too.) Abhijit Menon-Sen and Tom Lane Discussion: https://postgr.es/m/949048.1684639317@sss.pgh.pa.us --- .../postgres_fdw/expected/postgres_fdw.out | 2 +- contrib/postgres_fdw/option.c | 6 +- contrib/postgres_fdw/sql/postgres_fdw.sql | 2 +- doc/src/sgml/libpq.sgml | 10 +-- src/backend/catalog/system_views.sql | 2 +- src/backend/foreign/foreign.c | 2 +- src/backend/utils/init/postinit.c | 4 +- src/include/catalog/catversion.h | 2 +- src/include/catalog/pg_proc.dat | 2 +- src/interfaces/libpq/fe-auth.c | 2 +- src/interfaces/libpq/fe-connect.c | 6 +- src/interfaces/libpq/fe-secure-gssapi.c | 12 +-- src/interfaces/libpq/libpq-int.h | 2 +- src/test/kerberos/README | 2 + src/test/kerberos/t/001_auth.pl | 76 +++++++++---------- src/test/regress/expected/rules.out | 10 +-- 16 files changed, 72 insertions(+), 70 deletions(-) diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out index 826baac9f18..c8c4614b547 100644 --- a/contrib/postgres_fdw/expected/postgres_fdw.out +++ b/contrib/postgres_fdw/expected/postgres_fdw.out @@ -172,7 +172,7 @@ ALTER SERVER testserver1 OPTIONS ( --requirepeer 'value', krbsrvname 'value', gsslib 'value', - gssdeleg 'value' + gssdelegation 'value' --replication 'value' ); -- Error, invalid list syntax diff --git a/contrib/postgres_fdw/option.c b/contrib/postgres_fdw/option.c index fe40d50c6dd..8c822f4ef90 100644 --- a/contrib/postgres_fdw/option.c +++ b/contrib/postgres_fdw/option.c @@ -289,10 +289,10 @@ InitPgFdwOptions(void) {"sslkey", UserMappingRelationId, true}, /* - * gssdeleg is also a libpq option but should be allowed in a user - * mapping context too + * gssdelegation is also a libpq option but should be allowed in a + * user mapping context too */ - {"gssdeleg", UserMappingRelationId, true}, + {"gssdelegation", UserMappingRelationId, true}, {NULL, InvalidOid, false} }; diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql index 15f3af6c293..b54903ad8fa 100644 --- a/contrib/postgres_fdw/sql/postgres_fdw.sql +++ b/contrib/postgres_fdw/sql/postgres_fdw.sql @@ -186,7 +186,7 @@ ALTER SERVER testserver1 OPTIONS ( --requirepeer 'value', krbsrvname 'value', gsslib 'value', - gssdeleg 'value' + gssdelegation 'value' --replication 'value' ); diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index cce25d06e69..e38a7debc35 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -2054,8 +2054,8 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname - - gssdeleg + + gssdelegation Forward (delegate) GSS credentials to the server. The default is @@ -8271,10 +8271,10 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough) - PGGSSDELEG + PGGSSDELEGATION - PGGSSDELEG behaves the same as the connection parameter. + PGGSSDELEGATION behaves the same as the connection parameter. diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index d0c932ad0e3..c18fea8362d 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -980,7 +980,7 @@ CREATE VIEW pg_stat_gssapi AS S.gss_auth AS gss_authenticated, S.gss_princ AS principal, S.gss_enc AS encrypted, - S.gss_deleg AS credentials_delegated + S.gss_delegation AS credentials_delegated FROM pg_stat_get_activity(NULL) AS S WHERE S.client_port IS NOT NULL; diff --git a/src/backend/foreign/foreign.c b/src/backend/foreign/foreign.c index 6e1977fa620..ca3ad55b628 100644 --- a/src/backend/foreign/foreign.c +++ b/src/backend/foreign/foreign.c @@ -574,7 +574,7 @@ static const struct ConnectionOption libpq_conninfo_options[] = { {"requiressl", ForeignServerRelationId}, {"sslmode", ForeignServerRelationId}, {"gsslib", ForeignServerRelationId}, - {"gssdeleg", ForeignServerRelationId}, + {"gssdelegation", ForeignServerRelationId}, {NULL, InvalidOid} }; diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c index 3359b34f527..6856ed99e7d 100644 --- a/src/backend/utils/init/postinit.c +++ b/src/backend/utils/init/postinit.c @@ -282,14 +282,14 @@ PerformAuthentication(Port *port) if (princ) appendStringInfo(&logmsg, - _(" GSS (authenticated=%s, encrypted=%s, deleg_credentials=%s, principal=%s)"), + _(" GSS (authenticated=%s, encrypted=%s, delegated_credentials=%s, principal=%s)"), be_gssapi_get_auth(port) ? _("yes") : _("no"), be_gssapi_get_enc(port) ? _("yes") : _("no"), be_gssapi_get_delegation(port) ? _("yes") : _("no"), princ); else appendStringInfo(&logmsg, - _(" GSS (authenticated=%s, encrypted=%s, deleg_credentials=%s)"), + _(" GSS (authenticated=%s, encrypted=%s, delegated_credentials=%s)"), be_gssapi_get_auth(port) ? _("yes") : _("no"), be_gssapi_get_enc(port) ? _("yes") : _("no"), be_gssapi_get_delegation(port) ? _("yes") : _("no")); diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h index 2ced5832247..c784937a0eb 100644 --- a/src/include/catalog/catversion.h +++ b/src/include/catalog/catversion.h @@ -57,6 +57,6 @@ */ /* yyyymmddN */ -#define CATALOG_VERSION_NO 202305191 +#define CATALOG_VERSION_NO 202305211 #endif diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat index 2e0f9f2b5ca..6996073989a 100644 --- a/src/include/catalog/pg_proc.dat +++ b/src/include/catalog/pg_proc.dat @@ -5415,7 +5415,7 @@ prorettype => 'record', proargtypes => 'int4', proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,bool,text,bool,bool,int4,int8}', proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}', - proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,gss_deleg,leader_pid,query_id}', + proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}', prosrc => 'pg_stat_get_activity' }, { oid => '3318', descr => 'statistics: information about progress of backends running maintenance command', diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 0dc31988b47..de0e13e50d1 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -97,7 +97,7 @@ pg_GSS_continue(PGconn *conn, int payloadlen) if (!pg_GSS_have_cred_cache(&conn->gcred)) conn->gcred = GSS_C_NO_CREDENTIAL; - if (conn->gssdeleg && pg_strcasecmp(conn->gssdeleg, "enable") == 0) + if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0) gss_flags |= GSS_C_DELEG_FLAG; maj_stat = gss_init_sec_context(&min_stat, diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 30486c59ba9..786d22a7706 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -343,9 +343,9 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "GSS-library", "", 7, /* sizeof("gssapi") == 7 */ offsetof(struct pg_conn, gsslib)}, - {"gssdeleg", "PGGSSDELEG", NULL, NULL, + {"gssdelegation", "PGGSSDELEGATION", NULL, NULL, "GSS-delegation", "", 8, /* sizeof("disable") == 8 */ - offsetof(struct pg_conn, gssdeleg)}, + offsetof(struct pg_conn, gssdelegation)}, {"replication", NULL, NULL, NULL, "Replication", "D", 5, @@ -4453,7 +4453,7 @@ freePGconn(PGconn *conn) free(conn->gssencmode); free(conn->krbsrvname); free(conn->gsslib); - free(conn->gssdeleg); + free(conn->gssdelegation); free(conn->connip); /* Note that conn->Pfdebug is not ours to close or free */ free(conn->write_err_msg); diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c index 3b2d0fd1401..c77d5cfe9f5 100644 --- a/src/interfaces/libpq/fe-secure-gssapi.c +++ b/src/interfaces/libpq/fe-secure-gssapi.c @@ -622,18 +622,18 @@ pqsecure_open_gss(PGconn *conn) if (ret != STATUS_OK) return PGRES_POLLING_FAILED; - if (conn->gssdeleg && pg_strcasecmp(conn->gssdeleg, "enable") == 0) + if (conn->gssdelegation && pg_strcasecmp(conn->gssdelegation, "enable") == 0) { /* Acquire credentials if possible */ if (conn->gcred == GSS_C_NO_CREDENTIAL) (void) pg_GSS_have_cred_cache(&conn->gcred); /* - * We have credentials and gssdeleg is enabled, so request credential - * delegation. This may or may not actually result in credentials - * being delegated- it depends on if the forwardable flag has been set - * in the credential and if the server is configured to accept - * delegated credentials. + * We have credentials and gssdelegation is enabled, so request + * credential delegation. This may or may not actually result in + * credentials being delegated- it depends on if the forwardable flag + * has been set in the credential and if the server is configured to + * accept delegated credentials. */ if (conn->gcred != GSS_C_NO_CREDENTIAL) gss_flags |= GSS_C_DELEG_FLAG; diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index e985b57cb5a..f1854f9919c 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -404,7 +404,7 @@ struct pg_conn char *krbsrvname; /* Kerberos service name */ char *gsslib; /* What GSS library to use ("gssapi" or * "sspi") */ - char *gssdeleg; /* Try to delegate GSS credentials? */ + char *gssdelegation; /* Try to delegate GSS credentials? */ char *ssl_min_protocol_version; /* minimum TLS protocol version */ char *ssl_max_protocol_version; /* maximum TLS protocol version */ char *target_session_attrs; /* desired session properties */ diff --git a/src/test/kerberos/README b/src/test/kerberos/README index 72ae519dea7..a048d442afc 100644 --- a/src/test/kerberos/README +++ b/src/test/kerberos/README @@ -19,6 +19,8 @@ Running the tests ================= NOTE: You must have given the --enable-tap-tests argument to configure. +Also, to use "make installcheck", you must have built and installed +contrib/dblink and contrib/postgres_fdw in addition to the core code. Run make check PG_TEST_EXTRA=kerberos diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl index 5aff49a5131..bff26fda0c9 100644 --- a/src/test/kerberos/t/001_auth.pl +++ b/src/test/kerberos/t/001_auth.pl @@ -351,7 +351,7 @@ test_access( '', 'succeeds with mapping with default gssencmode and host hba, ticket not forwardable', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" ); test_access( @@ -362,7 +362,7 @@ test_access( 'gssencmode=prefer', 'succeeds with GSS-encrypted access preferred with host hba, ticket not forwardable', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" ); test_access( @@ -373,7 +373,7 @@ test_access( 'gssencmode=require', 'succeeds with GSS-encrypted access required with host hba, ticket not forwardable', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" ); test_access( @@ -381,20 +381,20 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=prefer gssdeleg=enable', + 'gssencmode=prefer gssdelegation=enable', 'succeeds with GSS-encrypted access preferred with host hba and credentials not delegated even though asked for (ticket not forwardable)', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" ); test_access( $node, 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=require gssdeleg=enable', + 'gssencmode=require gssdelegation=enable', 'succeeds with GSS-encrypted access required with host hba and credentials not delegated even though asked for (ticket not forwardable)', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" ); @@ -480,20 +480,20 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=prefer gssdeleg=enable', + 'gssencmode=prefer gssdelegation=enable', 'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, default)', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" ); test_access( $node, 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=require gssdeleg=enable', + 'gssencmode=require gssdelegation=enable', 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, default)', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" ); $node->append_conf('postgresql.conf', qq{gss_accept_delegation=off}); @@ -504,20 +504,20 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=prefer gssdeleg=enable', + 'gssencmode=prefer gssdelegation=enable', 'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" ); test_access( $node, 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=require gssdeleg=enable', + 'gssencmode=require gssdelegation=enable', 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials not forwarded (server does not accept them, explicitly disabled)', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" ); $node->append_conf('postgresql.conf', qq{gss_accept_delegation=on}); @@ -528,20 +528,20 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=prefer gssdeleg=enable', + 'gssencmode=prefer gssdelegation=enable', 'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials forwarded', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)" ); test_access( $node, 'test1', 'SELECT gss_authenticated AND encrypted AND credentials_delegated from pg_stat_gssapi where pid = pg_backend_pid();', 0, - 'gssencmode=require gssdeleg=enable', + 'gssencmode=require gssdelegation=enable', 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials forwarded', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)" ); test_access( $node, @@ -551,17 +551,17 @@ test_access( 'gssencmode=prefer', 'succeeds with GSS-encrypted access preferred and hostgssenc hba and credentials not forwarded', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" ); test_access( $node, 'test1', 'SELECT gss_authenticated AND encrypted AND NOT credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=require gssdeleg=disable', + 'gssencmode=require gssdelegation=disable', 'succeeds with GSS-encrypted access required and hostgssenc hba and credentials explicitly not forwarded', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=no, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=no, principal=test1\@$realm)" ); my $psql_out = ''; @@ -572,7 +572,7 @@ $psql_rc = $node->psql( 'postgres', "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', 'dblink attempt fails without delegated credentials'); @@ -589,7 +589,7 @@ $psql_rc = $node->psql( 'postgres', "SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', @@ -608,7 +608,7 @@ $psql_rc = $node->psql( 'postgres', "TABLE tf1;", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', 'postgres_fdw does not work without delegated credentials'); @@ -626,7 +626,7 @@ $psql_rc = $node->psql( 'postgres', "TABLE tf2;", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdeleg=disable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=require gssdelegation=disable", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', @@ -668,10 +668,10 @@ test_access( 'test1', 'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=prefer gssdeleg=enable', + 'gssencmode=prefer gssdelegation=enable', 'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, deleg_credentials=yes, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)" ); test_access($node, 'test1', 'SELECT true', 2, 'gssencmode=require', 'fails with GSS-encrypted access required and hostnogssenc hba'); @@ -680,10 +680,10 @@ test_access( 'test1', 'SELECT gss_authenticated AND NOT encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssencmode=disable gssdeleg=enable', + 'gssencmode=disable gssdelegation=enable', 'succeeds with GSS encryption disabled and hostnogssenc hba', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, deleg_credentials=yes, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, delegated_credentials=yes, principal=test1\@$realm)" ); test_query( @@ -691,7 +691,7 @@ test_query( 'test1', "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port','select 1') as t1(c1 int);", qr/^1$/s, - 'gssencmode=prefer gssdeleg=enable', + 'gssencmode=prefer gssdelegation=enable', 'dblink works not-encrypted (server not configured to accept encrypted GSSAPI connections)' ); @@ -700,7 +700,7 @@ test_query( 'test1', "TABLE tf1;", qr/^1$/s, - 'gssencmode=prefer gssdeleg=enable', + 'gssencmode=prefer gssdelegation=enable', 'postgres_fdw works not-encrypted (server not configured to accept encrypted GSSAPI connections)' ); @@ -711,7 +711,7 @@ $psql_rc = $node->psql( 'postgres', "SELECT * FROM dblink('user=test2 dbname=$dbname port=$port passfile=$pgpass','select 1') as t1(c1 int);", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdeleg=enable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', @@ -730,7 +730,7 @@ $psql_rc = $node->psql( 'postgres', "TABLE tf2;", connstr => - "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdeleg=enable", + "user=test1 host=$host hostaddr=$hostaddr gssencmode=prefer gssdelegation=enable", stdout => \$psql_out, stderr => \$psql_stderr); is($psql_rc, '3', @@ -760,10 +760,10 @@ test_access( 'test1', 'SELECT gss_authenticated AND encrypted AND credentials_delegated FROM pg_stat_gssapi WHERE pid = pg_backend_pid();', 0, - 'gssdeleg=enable', + 'gssdelegation=enable', 'succeeds with include_realm=0 and defaults', "connection authenticated: identity=\"test1\@$realm\" method=gss", - "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, deleg_credentials=yes, principal=test1\@$realm)" + "connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, delegated_credentials=yes, principal=test1\@$realm)" ); test_query( @@ -771,12 +771,12 @@ test_query( 'test1', "SELECT * FROM dblink('user=test1 dbname=$dbname host=$host hostaddr=$hostaddr port=$port password=1234','select 1') as t1(c1 int);", qr/^1$/s, - 'gssencmode=require gssdeleg=enable', + 'gssencmode=require gssdelegation=enable', 'dblink works encrypted'); test_query( $node, 'test1', "TABLE tf1;", qr/^1$/s, - 'gssencmode=require gssdeleg=enable', + 'gssencmode=require gssdelegation=enable', 'postgres_fdw works encrypted'); # Reset pg_hba.conf, and cause a usermap failure with an authentication diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out index fa9e1bd5e41..7fd81e6a7d0 100644 --- a/src/test/regress/expected/rules.out +++ b/src/test/regress/expected/rules.out @@ -1760,7 +1760,7 @@ pg_stat_activity| SELECT s.datid, s.query_id, s.query, s.backend_type - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) LEFT JOIN pg_database d ON ((s.datid = d.oid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_all_indexes| SELECT c.oid AS relid, @@ -1877,8 +1877,8 @@ pg_stat_gssapi| SELECT pid, gss_auth AS gss_authenticated, gss_princ AS principal, gss_enc AS encrypted, - gss_deleg AS credentials_delegated - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id) + gss_delegation AS credentials_delegated + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_io| SELECT backend_type, object, @@ -2078,7 +2078,7 @@ pg_stat_replication| SELECT s.pid, w.sync_priority, w.sync_state, w.reply_time - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_replication_slots| SELECT s.slot_name, @@ -2112,7 +2112,7 @@ pg_stat_ssl| SELECT pid, ssl_client_dn AS client_dn, ssl_client_serial AS client_serial, ssl_issuer_dn AS issuer_dn - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_deleg, leader_pid, query_id) + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_subscription| SELECT su.oid AS subid, su.subname,