Greetings, * Michael Paquier (mich...@paquier.xyz) wrote: > On Mon, Apr 15, 2019 at 08:24:52AM -0400, Stephen Frost wrote: > > The tests are really fast enough with one KDC that I don't think it > > makes sense to have two independent tests. > > Perhaps you should add a comment about the need of unicity at the top > of 001_auth.pl with a short description of the test?
I added some comments there that I think explain why it makes sense to have just one test file there. > > Please find attached a patch which updates the protocol.sgml docs that > > Michael mentioned before, and merges the tests into one test file (while > > adding in some additional tests to make sure that the server also agrees > > with what our expectations are, using the pg_stat_gssapi view). > > Thanks for addressing all that feedback. Parallel runs look more > stable on my side. At least it seems that I can re-enable it safely. Great, glad to hear it. > > I'll push this soon unless there are concerns. If you get a chance to > > test the patch out, that would be great. It's working happily for me > > locally. > > + calling gss_init_sec_context() in a loop and sending the result to the > Some markups should be added here for all function names. Not all the > clients use C either, so you may want to say "or equivalent"? I added the markups for function names along with a sentence fragment saying that the functions referenced are the C GSSAPI bindings, and that equivilants can be used. > +test_access($node, 'test1', 'SELECT gss_authenticated AND encrypted > from pg_stat_gssapi where pid = pg_backend_pid();', 0, '', 'succeeds > with mapping with default gssencmode and host hba'); > +test_access($node, "test1", 'SELECT gss_authenticated AND encrypted > from pg_stat_gssapi where pid = pg_backend_pid();', 0, > "gssencmode=prefer", "succeeds with GSS-encrypted access preferred > with host hba"); > +test_access($node, "test1", 'SELECT gss_authenticated AND encrypted > from pg_stat_gssapi where pid = pg_backend_pid();', 0, > "gssencmode=require", "succeeds with GSS-encrypted access required > with host hba"); > If you could rework a bit the indentation of the new code added in > kerberos/t/001_auth.pl that would be nice. I am afraid that the > current format makes debugging harder than necessary. I ran perltidy on it, sorry, should have done that before. > +$node->append_conf('pg_hba.conf', > + qq{hostgssenc all all $hostaddr/32 gss map=mymap}); > +$node->restart; > A reload should be enough but not race-condition free, which is why a > set of restarts is done in this test right? (I have noticed that it > is done this way since the beginning.) Right, we want this to be a restart as Peter mentions downthread. I've now pushed these changes and will mark the open item as addressed. Thanks! Stephen
signature.asc
Description: PGP signature