Обсуждение: GSSAPI: logging principal

Поиск
Список
Период
Сортировка

GSSAPI: logging principal

От
Allan Jensen
Дата:
Hi,

I have GSSAPI-login and user mapping to postgres working fine.

Whenever i login to postgres I get a line like the following in the
logfile:

connection authorized: user=testrole database=testdb SSL enabled
(protocol=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, bits=256,
compression=off)

What bothers me, is that i can't see what kerberos prinicpal was used
during authentication.

I have fiddled around with log-settings to no avail.

Is there any way to make postgres log the principal?

--
Regards,
Allan



Re: GSSAPI: logging principal

От
Stephen Frost
Дата:
Greetings,

* Allan Jensen (pglist@winge-jensen.dk) wrote:
> I have GSSAPI-login and user mapping to postgres working fine.

Great!

> Whenever i login to postgres I get a line like the following in the
> logfile:
>
> connection authorized: user=testrole database=testdb SSL enabled
> (protocol=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, bits=256,
> compression=off)

Minor side-note: we have GSSAPI encryption built-in starting with v12,
removing the need to also have SSL.

> What bothers me, is that i can't see what kerberos prinicpal was used
> during authentication.

Yeah, I'm afraid that's probably right.  In looking, I don't see any
particularly easy way.  I could have sworn I complained about this ages
ago (there might even be a patch somewhere in the depths of -hackers
from 5 years ago or more) but clearly it never made it in.

One thing that is kind of nice is that with v12 there's a new view where
you can view the state of existing connections, including the principal
they authenticate with: pg_stat_gssapi.

> Is there any way to make postgres log the principal?

Would definitely be a good thing for us to have, and the CN for an
SSL-based connection.  I don't think it'd be hard for someone to hack up
a patch to do so.  I've added it to my list of "nice to haves" but it
seems unlikely I'll get any time in the near future to hack on it, so
if someone else wants to work on it, please feel free to do so...

Thanks,

Stephen

Вложения