2019-04-20 03:22:22 +02:00
|
|
|
# Sets up a KDC and then runs a variety of tests to make sure that the
|
|
|
|
# GSSAPI/Kerberos authentication and encryption are working properly,
|
|
|
|
# that the options in pg_hba.conf and pg_ident.conf are handled correctly,
|
|
|
|
# and that the server-side pg_stat_gssapi view reports what we expect to
|
|
|
|
# see for each test.
|
|
|
|
#
|
|
|
|
# Since this requires setting up a full KDC, it doesn't make much sense
|
|
|
|
# to have multiple test scripts (since they'd have to also create their
|
|
|
|
# own KDC and that could cause race conditions or other problems)- so
|
|
|
|
# just add whatever other tests are needed to here.
|
|
|
|
#
|
|
|
|
# See the README for additional information.
|
|
|
|
|
2018-03-05 20:42:11 +01:00
|
|
|
use strict;
|
|
|
|
use warnings;
|
|
|
|
use TestLib;
|
|
|
|
use PostgresNode;
|
|
|
|
use Test::More;
|
2020-12-02 20:41:53 +01:00
|
|
|
use Time::HiRes qw(usleep);
|
2018-03-05 20:42:11 +01:00
|
|
|
|
|
|
|
if ($ENV{with_gssapi} eq 'yes')
|
|
|
|
{
|
2021-03-22 00:59:43 +01:00
|
|
|
plan tests => 26;
|
2018-03-05 20:42:11 +01:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
plan skip_all => 'GSSAPI/Kerberos not supported by this build';
|
|
|
|
}
|
|
|
|
|
|
|
|
my ($krb5_bin_dir, $krb5_sbin_dir);
|
|
|
|
|
|
|
|
if ($^O eq 'darwin')
|
|
|
|
{
|
2018-04-25 20:00:19 +02:00
|
|
|
$krb5_bin_dir = '/usr/local/opt/krb5/bin';
|
2018-03-05 20:42:11 +01:00
|
|
|
$krb5_sbin_dir = '/usr/local/opt/krb5/sbin';
|
|
|
|
}
|
|
|
|
elsif ($^O eq 'freebsd')
|
|
|
|
{
|
2018-04-25 20:00:19 +02:00
|
|
|
$krb5_bin_dir = '/usr/local/bin';
|
2018-03-05 20:42:11 +01:00
|
|
|
$krb5_sbin_dir = '/usr/local/sbin';
|
|
|
|
}
|
|
|
|
elsif ($^O eq 'linux')
|
|
|
|
{
|
|
|
|
$krb5_sbin_dir = '/usr/sbin';
|
|
|
|
}
|
|
|
|
|
2018-04-25 20:00:19 +02:00
|
|
|
my $krb5_config = 'krb5-config';
|
|
|
|
my $kinit = 'kinit';
|
|
|
|
my $kdb5_util = 'kdb5_util';
|
2018-03-05 20:42:11 +01:00
|
|
|
my $kadmin_local = 'kadmin.local';
|
2018-04-25 20:00:19 +02:00
|
|
|
my $krb5kdc = 'krb5kdc';
|
2018-03-05 20:42:11 +01:00
|
|
|
|
|
|
|
if ($krb5_bin_dir && -d $krb5_bin_dir)
|
|
|
|
{
|
|
|
|
$krb5_config = $krb5_bin_dir . '/' . $krb5_config;
|
2018-04-25 20:00:19 +02:00
|
|
|
$kinit = $krb5_bin_dir . '/' . $kinit;
|
2018-03-05 20:42:11 +01:00
|
|
|
}
|
|
|
|
if ($krb5_sbin_dir && -d $krb5_sbin_dir)
|
|
|
|
{
|
2018-04-25 20:00:19 +02:00
|
|
|
$kdb5_util = $krb5_sbin_dir . '/' . $kdb5_util;
|
2018-03-05 20:42:11 +01:00
|
|
|
$kadmin_local = $krb5_sbin_dir . '/' . $kadmin_local;
|
2018-04-25 20:00:19 +02:00
|
|
|
$krb5kdc = $krb5_sbin_dir . '/' . $krb5kdc;
|
2018-03-05 20:42:11 +01:00
|
|
|
}
|
|
|
|
|
2018-08-04 05:53:25 +02:00
|
|
|
my $host = 'auth-test-localhost.postgresql.example.com';
|
|
|
|
my $hostaddr = '127.0.0.1';
|
2019-04-20 03:22:22 +02:00
|
|
|
my $realm = 'EXAMPLE.COM';
|
2018-03-05 20:42:11 +01:00
|
|
|
|
2018-04-25 20:00:19 +02:00
|
|
|
my $krb5_conf = "${TestLib::tmp_check}/krb5.conf";
|
|
|
|
my $kdc_conf = "${TestLib::tmp_check}/kdc.conf";
|
2021-01-25 20:53:13 +01:00
|
|
|
my $krb5_cache = "${TestLib::tmp_check}/krb5cc";
|
2019-08-06 23:08:07 +02:00
|
|
|
my $krb5_log = "${TestLib::log_path}/krb5libs.log";
|
|
|
|
my $kdc_log = "${TestLib::log_path}/krb5kdc.log";
|
2019-08-04 19:07:12 +02:00
|
|
|
my $kdc_port = get_free_port();
|
2018-03-05 20:42:11 +01:00
|
|
|
my $kdc_datadir = "${TestLib::tmp_check}/krb5kdc";
|
|
|
|
my $kdc_pidfile = "${TestLib::tmp_check}/krb5kdc.pid";
|
2018-04-25 20:00:19 +02:00
|
|
|
my $keytab = "${TestLib::tmp_check}/krb5.keytab";
|
2018-03-05 20:42:11 +01:00
|
|
|
|
2020-12-02 20:41:53 +01:00
|
|
|
my $dbname = 'postgres';
|
|
|
|
my $username = 'test1';
|
|
|
|
my $application = '001_auth.pl';
|
|
|
|
|
2018-03-05 20:42:11 +01:00
|
|
|
note "setting up Kerberos";
|
|
|
|
|
|
|
|
my ($stdout, $krb5_version);
|
2018-04-25 20:00:19 +02:00
|
|
|
run_log [ $krb5_config, '--version' ], '>', \$stdout
|
|
|
|
or BAIL_OUT("could not execute krb5-config");
|
2018-03-05 20:42:11 +01:00
|
|
|
BAIL_OUT("Heimdal is not supported") if $stdout =~ m/heimdal/;
|
2018-04-25 20:00:19 +02:00
|
|
|
$stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/
|
|
|
|
or BAIL_OUT("could not get Kerberos version");
|
2018-03-05 20:42:11 +01:00
|
|
|
$krb5_version = $1;
|
|
|
|
|
2018-04-25 20:00:19 +02:00
|
|
|
append_to_file(
|
|
|
|
$krb5_conf,
|
|
|
|
qq![logging]
|
2018-03-05 20:42:11 +01:00
|
|
|
default = FILE:$krb5_log
|
|
|
|
kdc = FILE:$kdc_log
|
|
|
|
|
|
|
|
[libdefaults]
|
|
|
|
default_realm = $realm
|
|
|
|
|
|
|
|
[realms]
|
|
|
|
$realm = {
|
2018-08-04 05:53:25 +02:00
|
|
|
kdc = $hostaddr:$kdc_port
|
2018-03-05 20:42:11 +01:00
|
|
|
}!);
|
|
|
|
|
2018-04-25 20:00:19 +02:00
|
|
|
append_to_file(
|
|
|
|
$kdc_conf,
|
|
|
|
qq![kdcdefaults]
|
2018-03-05 20:42:11 +01:00
|
|
|
!);
|
2018-04-25 20:00:19 +02:00
|
|
|
|
2018-03-05 20:42:11 +01:00
|
|
|
# For new-enough versions of krb5, use the _listen settings rather
|
|
|
|
# than the _ports settings so that we can bind to localhost only.
|
|
|
|
if ($krb5_version >= 1.15)
|
|
|
|
{
|
2018-04-25 20:00:19 +02:00
|
|
|
append_to_file(
|
|
|
|
$kdc_conf,
|
2018-08-04 05:53:25 +02:00
|
|
|
qq!kdc_listen = $hostaddr:$kdc_port
|
|
|
|
kdc_tcp_listen = $hostaddr:$kdc_port
|
2018-03-05 20:42:11 +01:00
|
|
|
!);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2018-04-25 20:00:19 +02:00
|
|
|
append_to_file(
|
|
|
|
$kdc_conf,
|
|
|
|
qq!kdc_ports = $kdc_port
|
2018-03-05 20:42:11 +01:00
|
|
|
kdc_tcp_ports = $kdc_port
|
|
|
|
!);
|
|
|
|
}
|
2018-04-25 20:00:19 +02:00
|
|
|
append_to_file(
|
|
|
|
$kdc_conf,
|
|
|
|
qq!
|
2018-03-05 20:42:11 +01:00
|
|
|
[realms]
|
|
|
|
$realm = {
|
|
|
|
database_name = $kdc_datadir/principal
|
|
|
|
admin_keytab = FILE:$kdc_datadir/kadm5.keytab
|
|
|
|
acl_file = $kdc_datadir/kadm5.acl
|
|
|
|
key_stash_file = $kdc_datadir/_k5.$realm
|
|
|
|
}!);
|
|
|
|
|
|
|
|
mkdir $kdc_datadir or die;
|
|
|
|
|
2021-01-25 20:53:13 +01:00
|
|
|
# Ensure that we use test's config and cache files, not global ones.
|
2018-04-25 20:00:19 +02:00
|
|
|
$ENV{'KRB5_CONFIG'} = $krb5_conf;
|
2018-03-05 20:42:11 +01:00
|
|
|
$ENV{'KRB5_KDC_PROFILE'} = $kdc_conf;
|
2021-01-25 20:53:13 +01:00
|
|
|
$ENV{'KRB5CCNAME'} = $krb5_cache;
|
2018-03-05 20:42:11 +01:00
|
|
|
|
2018-08-04 05:53:25 +02:00
|
|
|
my $service_principal = "$ENV{with_krb_srvnam}/$host";
|
2018-03-05 20:42:11 +01:00
|
|
|
|
|
|
|
system_or_bail $kdb5_util, 'create', '-s', '-P', 'secret0';
|
|
|
|
|
|
|
|
my $test1_password = 'secret1';
|
|
|
|
system_or_bail $kadmin_local, '-q', "addprinc -pw $test1_password test1";
|
|
|
|
|
|
|
|
system_or_bail $kadmin_local, '-q', "addprinc -randkey $service_principal";
|
|
|
|
system_or_bail $kadmin_local, '-q', "ktadd -k $keytab $service_principal";
|
|
|
|
|
|
|
|
system_or_bail $krb5kdc, '-P', $kdc_pidfile;
|
|
|
|
|
|
|
|
END
|
|
|
|
{
|
2018-04-25 20:00:19 +02:00
|
|
|
kill 'INT', `cat $kdc_pidfile` if -f $kdc_pidfile;
|
2018-03-05 20:42:11 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
note "setting up PostgreSQL instance";
|
|
|
|
|
|
|
|
my $node = get_new_node('node');
|
|
|
|
$node->init;
|
2020-12-25 03:37:46 +01:00
|
|
|
$node->append_conf(
|
|
|
|
'postgresql.conf', qq{
|
|
|
|
listen_addresses = '$hostaddr'
|
|
|
|
krb_server_keyfile = '$keytab'
|
|
|
|
log_connections = on
|
|
|
|
lc_messages = 'C'
|
|
|
|
});
|
2018-03-05 20:42:11 +01:00
|
|
|
$node->start;
|
|
|
|
|
|
|
|
$node->safe_psql('postgres', 'CREATE USER test1;');
|
|
|
|
|
|
|
|
note "running tests";
|
|
|
|
|
2020-01-11 23:14:08 +01:00
|
|
|
# Test connection success or failure, and if success, that query returns true.
|
2018-03-05 20:42:11 +01:00
|
|
|
sub test_access
|
|
|
|
{
|
2020-12-02 20:41:53 +01:00
|
|
|
my ($node, $role, $query, $expected_res, $gssencmode, $test_name, $expect_log_msg) = @_;
|
2018-03-05 20:42:11 +01:00
|
|
|
|
|
|
|
# need to connect over TCP/IP for Kerberos
|
2019-04-20 03:22:22 +02:00
|
|
|
my ($res, $stdoutres, $stderrres) = $node->psql(
|
2018-04-25 20:00:19 +02:00
|
|
|
'postgres',
|
2020-01-11 23:14:08 +01:00
|
|
|
"$query",
|
2018-04-25 20:00:19 +02:00
|
|
|
extra_params => [
|
2019-04-20 03:22:22 +02:00
|
|
|
'-XAtd',
|
|
|
|
$node->connstr('postgres')
|
|
|
|
. " host=$host hostaddr=$hostaddr $gssencmode",
|
|
|
|
'-U',
|
|
|
|
$role
|
2018-05-09 16:14:46 +02:00
|
|
|
]);
|
2019-04-20 03:22:22 +02:00
|
|
|
|
|
|
|
# If we get a query result back, it should be true.
|
|
|
|
if ($res == $expected_res and $res eq 0)
|
|
|
|
{
|
|
|
|
is($stdoutres, "t", $test_name);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
is($res, $expected_res, $test_name);
|
|
|
|
}
|
2020-12-02 20:41:53 +01:00
|
|
|
|
|
|
|
# Verify specified log message is logged in the log file.
|
|
|
|
if ($expect_log_msg ne '')
|
|
|
|
{
|
2021-03-22 00:59:43 +01:00
|
|
|
my $first_logfile = slurp_file($node->logfile);
|
2020-12-02 20:41:53 +01:00
|
|
|
|
|
|
|
like($first_logfile, qr/\Q$expect_log_msg\E/,
|
|
|
|
'found expected log file content');
|
|
|
|
}
|
|
|
|
|
2021-03-22 00:59:43 +01:00
|
|
|
# Clean up any existing contents in the node's log file so as
|
|
|
|
# future tests don't step on each other's generated contents.
|
|
|
|
truncate $node->logfile, 0;
|
2018-05-27 15:08:42 +02:00
|
|
|
return;
|
2018-03-05 20:42:11 +01:00
|
|
|
}
|
|
|
|
|
2020-01-11 23:14:08 +01:00
|
|
|
# As above, but test for an arbitrary query result.
|
|
|
|
sub test_query
|
|
|
|
{
|
|
|
|
my ($node, $role, $query, $expected, $gssencmode, $test_name) = @_;
|
|
|
|
|
|
|
|
# need to connect over TCP/IP for Kerberos
|
|
|
|
my ($res, $stdoutres, $stderrres) = $node->psql(
|
|
|
|
'postgres',
|
|
|
|
"$query",
|
|
|
|
extra_params => [
|
|
|
|
'-XAtd',
|
|
|
|
$node->connstr('postgres')
|
|
|
|
. " host=$host hostaddr=$hostaddr $gssencmode",
|
|
|
|
'-U',
|
|
|
|
$role
|
|
|
|
]);
|
|
|
|
|
|
|
|
is($res, 0, $test_name);
|
|
|
|
like($stdoutres, $expected, $test_name);
|
|
|
|
is($stderrres, "", $test_name);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2018-03-05 20:42:11 +01:00
|
|
|
unlink($node->data_dir . '/pg_hba.conf');
|
2018-08-04 05:53:25 +02:00
|
|
|
$node->append_conf('pg_hba.conf',
|
|
|
|
qq{host all all $hostaddr/32 gss map=mymap});
|
2018-03-05 20:42:11 +01:00
|
|
|
$node->restart;
|
|
|
|
|
2020-12-02 20:41:53 +01:00
|
|
|
test_access($node, 'test1', 'SELECT true', 2, '', 'fails without ticket', '');
|
2018-03-05 20:42:11 +01:00
|
|
|
|
|
|
|
run_log [ $kinit, 'test1' ], \$test1_password or BAIL_OUT($?);
|
|
|
|
|
2020-12-02 20:41:53 +01:00
|
|
|
test_access($node, 'test1', 'SELECT true', 2, '', 'fails without mapping', '');
|
2018-03-05 20:42:11 +01:00
|
|
|
|
|
|
|
$node->append_conf('pg_ident.conf', qq{mymap /^(.*)\@$realm\$ \\1});
|
|
|
|
$node->restart;
|
|
|
|
|
2019-04-20 03:22:22 +02:00
|
|
|
test_access(
|
|
|
|
$node,
|
|
|
|
'test1',
|
|
|
|
'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
0,
|
|
|
|
'',
|
2020-12-02 20:41:53 +01:00
|
|
|
'succeeds with mapping with default gssencmode and host hba',
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
|
|
|
|
);
|
|
|
|
|
2019-04-20 03:22:22 +02:00
|
|
|
test_access(
|
|
|
|
$node,
|
2020-12-02 20:41:53 +01:00
|
|
|
'test1',
|
2019-04-20 03:22:22 +02:00
|
|
|
'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
0,
|
2020-12-02 20:41:53 +01:00
|
|
|
'gssencmode=prefer',
|
|
|
|
'succeeds with GSS-encrypted access preferred with host hba',
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
|
|
|
|
);
|
2019-04-20 03:22:22 +02:00
|
|
|
test_access(
|
|
|
|
$node,
|
2020-12-02 20:41:53 +01:00
|
|
|
'test1',
|
2019-04-20 03:22:22 +02:00
|
|
|
'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
0,
|
2020-12-02 20:41:53 +01:00
|
|
|
'gssencmode=require',
|
|
|
|
'succeeds with GSS-encrypted access required with host hba',
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
|
|
|
|
);
|
2019-04-20 03:22:22 +02:00
|
|
|
|
2020-01-11 23:14:08 +01:00
|
|
|
# Test that we can transport a reasonable amount of data.
|
|
|
|
test_query(
|
|
|
|
$node,
|
2020-12-02 20:41:53 +01:00
|
|
|
'test1',
|
2020-01-11 23:14:08 +01:00
|
|
|
'SELECT * FROM generate_series(1, 100000);',
|
|
|
|
qr/^1\n.*\n1024\n.*\n9999\n.*\n100000$/s,
|
2020-12-02 20:41:53 +01:00
|
|
|
'gssencmode=require',
|
|
|
|
'receiving 100K lines works');
|
2020-01-11 23:14:08 +01:00
|
|
|
|
|
|
|
test_query(
|
|
|
|
$node,
|
2020-12-02 20:41:53 +01:00
|
|
|
'test1',
|
2020-01-11 23:14:08 +01:00
|
|
|
"CREATE TABLE mytab (f1 int primary key);\n"
|
|
|
|
. "COPY mytab FROM STDIN;\n"
|
|
|
|
. join("\n", (1 .. 100000))
|
|
|
|
. "\n\\.\n"
|
|
|
|
. "SELECT COUNT(*) FROM mytab;",
|
|
|
|
qr/^100000$/s,
|
2020-12-02 20:41:53 +01:00
|
|
|
'gssencmode=require',
|
|
|
|
'sending 100K lines works');
|
2020-01-11 23:14:08 +01:00
|
|
|
|
2019-04-20 03:22:22 +02:00
|
|
|
unlink($node->data_dir . '/pg_hba.conf');
|
|
|
|
$node->append_conf('pg_hba.conf',
|
|
|
|
qq{hostgssenc all all $hostaddr/32 gss map=mymap});
|
|
|
|
$node->restart;
|
|
|
|
|
|
|
|
test_access(
|
|
|
|
$node,
|
2020-12-02 20:41:53 +01:00
|
|
|
'test1',
|
2019-04-20 03:22:22 +02:00
|
|
|
'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
0,
|
2020-12-02 20:41:53 +01:00
|
|
|
'gssencmode=prefer',
|
|
|
|
'succeeds with GSS-encrypted access preferred and hostgssenc hba',
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
|
|
|
|
);
|
2019-04-20 03:22:22 +02:00
|
|
|
test_access(
|
|
|
|
$node,
|
2020-12-02 20:41:53 +01:00
|
|
|
'test1',
|
2019-04-20 03:22:22 +02:00
|
|
|
'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
0,
|
2020-12-02 20:41:53 +01:00
|
|
|
'gssencmode=require',
|
|
|
|
'succeeds with GSS-encrypted access required and hostgssenc hba',
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
|
|
|
|
);
|
|
|
|
test_access($node, 'test1', 'SELECT true', 2, 'gssencmode=disable',
|
|
|
|
'fails with GSS encryption disabled and hostgssenc hba', '');
|
2019-04-20 03:22:22 +02:00
|
|
|
|
|
|
|
unlink($node->data_dir . '/pg_hba.conf');
|
|
|
|
$node->append_conf('pg_hba.conf',
|
|
|
|
qq{hostnogssenc all all $hostaddr/32 gss map=mymap});
|
|
|
|
$node->restart;
|
|
|
|
|
|
|
|
test_access(
|
|
|
|
$node,
|
2020-12-02 20:41:53 +01:00
|
|
|
'test1',
|
2019-04-20 03:22:22 +02:00
|
|
|
'SELECT gss_authenticated and not encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
0,
|
2020-12-02 20:41:53 +01:00
|
|
|
'gssencmode=prefer',
|
|
|
|
'succeeds with GSS-encrypted access preferred and hostnogssenc hba, but no encryption',
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, principal=test1\@$realm)"
|
2019-04-20 03:22:22 +02:00
|
|
|
);
|
2020-12-02 20:41:53 +01:00
|
|
|
test_access($node, 'test1', 'SELECT true', 2, 'gssencmode=require',
|
|
|
|
'fails with GSS-encrypted access required and hostnogssenc hba', '');
|
2019-04-20 03:22:22 +02:00
|
|
|
test_access(
|
|
|
|
$node,
|
2020-12-02 20:41:53 +01:00
|
|
|
'test1',
|
2019-04-20 03:22:22 +02:00
|
|
|
'SELECT gss_authenticated and not encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
0,
|
2020-12-02 20:41:53 +01:00
|
|
|
'gssencmode=disable',
|
|
|
|
'succeeds with GSS encryption disabled and hostnogssenc hba',
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=no, principal=test1\@$realm)"
|
|
|
|
);
|
2018-03-05 20:42:11 +01:00
|
|
|
|
|
|
|
truncate($node->data_dir . '/pg_ident.conf', 0);
|
|
|
|
unlink($node->data_dir . '/pg_hba.conf');
|
2018-04-25 20:00:19 +02:00
|
|
|
$node->append_conf('pg_hba.conf',
|
2018-08-04 05:53:25 +02:00
|
|
|
qq{host all all $hostaddr/32 gss include_realm=0});
|
2018-03-05 20:42:11 +01:00
|
|
|
$node->restart;
|
|
|
|
|
2019-04-20 03:22:22 +02:00
|
|
|
test_access(
|
|
|
|
$node,
|
|
|
|
'test1',
|
|
|
|
'SELECT gss_authenticated AND encrypted from pg_stat_gssapi where pid = pg_backend_pid();',
|
|
|
|
0,
|
|
|
|
'',
|
2020-12-02 20:41:53 +01:00
|
|
|
'succeeds with include_realm=0 and defaults',
|
|
|
|
"connection authorized: user=$username database=$dbname application_name=$application GSS (authenticated=yes, encrypted=yes, principal=test1\@$realm)"
|
|
|
|
);
|