[pgpool-hackers: 3841] Re: Dealing with GSSAPI
Tatsuo Ishii
ishii at sraoss.co.jp
Fri Oct 2 13:55:36 JST 2020
Hi Umar,
> Hi Ishii,
> I didn't share the output earlier, where there is some other pg_hba entry
> available to fallback. It does fallback in that case. Please see psql
> output and log snippet below.
Oh, ok thanks. It seems the following output fallbacks to SSL
connection. Can you confirm it can also fallback to non-SSL
connection?
> [umarhayat at localhost pgpool2]# psql -U
> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres -p
> 9999
> psql (13.0)
> Type "help" for help.
>
> 2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 1234 Minor: 5680
> database: user:
> 2020-10-01 07:33:06: pid 21199: DEBUG: selecting backend connection
> 2020-10-01 07:33:06: pid 21199: DETAIL: GSSAPI request from client
> 2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet
> 2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 1234 Minor: 5679
> database: � 0 user: � 0
> 2020-10-01 07:33:06: pid 21199: DEBUG: selecting backend connection
> 2020-10-01 07:33:06: pid 21199: DETAIL: SSLRequest from client
> 2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet
> 2020-10-01 07:33:06: pid 21199: DETAIL: application_name: psql
> 2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet
> 2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 3 Minor: 0
> database: postgres user: postgres/myrealm.example at MYREALM.EXAMPLE
> 2020-10-01 07:33:06: pid 21199: DEBUG: creating new connection to backend
> 2020-10-01 07:33:06: pid 21199: DETAIL: connecting 0 backend
> 2020-10-01 07:33:06: pid 21199: DEBUG: authentication backend
> 2020-10-01 07:33:06: pid 21199: DETAIL: auth kind:0
>
> Regards
> Umar Hayat
>
>
> On Fri, Oct 2, 2020 at 2:31 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
>
>> Hi Umar,
>>
>> I actually expected that psql connects to Pgpool-II without GSSAPI
>> auth (i.e. fallback to non-GSSAPI auth). In my understanding the
>> default behavior of psql does so because of gssencmode=prefer. Can
>> you please enable pgpool debug log by log_min_messages=debug1 and show
>> the log?
>>
>> > Thank you!
>> >
>> >> Hi Ishii,
>> >>
>> >> I tested your patch and was not able to apply it, so I rebased it. I
>> tested
>> >> it on Pgpool 4.1 and it is working as expected.
>> >>
>> >> - GSSAPI Authentication direct to PG13
>> >> [umarhayat at localhost pgpool2]# psql -U
>> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres
>> -p
>> >> 5432
>> >> psql (13.0)
>> >> GSSAPI-encrypted connection
>> >> Type "help" for help.
>> >>
>> >> - GSSAPI Authentication via Pgpool direct to PG13 (before patch)
>> >> postgres=# \q
>> >> [umarhayat at localhost pgpool2]# psql -U
>> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres
>> -p
>> >> 9999
>> >> psql: error: could not connect to server: server closed the connection
>> >> unexpectedly
>> >> This probably means the server terminated abnormally
>> >> before or while processing the request.
>> >>
>> >> - GSSAPI Authentication via Pgpool direct to PG13 (after patch)
>> >> [umarhayat at localhost pgpool2]# psql -U
>> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres
>> -p
>> >> 9999
>> >> psql: error: could not connect to server: ERROR: failed to authenticate
>> >> with backend
>> >> DETAIL: unsupported auth kind received from backend: authkind:7
>> >>
>> >> Regards
>> >> Umar Hayat
>> >>
>> >> On Wed, Sep 23, 2020 at 8:15 AM Tatsuo Ishii <ishii at sraoss.co.jp>
>> wrote:
>> >>
>> >>> As you might already know, Pgpool-II currently does not support
>> >>> GSSAPI. Until we support it, I think we need to tell frontend that
>> >>> Pgpool-II does not support GSSAPI when frontend requests it. Otherwise
>> >>> frontend will have a confusing message from Pgpool-II.
>> >>>
>> >>>
>> https://www.pgpool.net/pipermail/pgpool-general/2020-September/007353.html
>> >>>
>> >>> Attached patch should do it. I don't have GSSAPI enabled frontend and
>> >>> I cannot test it. I would appreciate if someone tests it out.
>> >>>
>> >>> Best regards,
>> >>> --
>> >>> Tatsuo Ishii
>> >>> SRA OSS, Inc. Japan
>> >>> English: http://www.sraoss.co.jp/index_en.php
>> >>> Japanese:http://www.sraoss.co.jp
>> >>> _______________________________________________
>> >>> pgpool-hackers mailing list
>> >>> pgpool-hackers at pgpool.net
>> >>> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>> >>>
>> > _______________________________________________
>> > pgpool-hackers mailing list
>> > pgpool-hackers at pgpool.net
>> > http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>>
More information about the pgpool-hackers
mailing list