Greetings, * Allan Jensen (pglist@xxxxxxxxxxxxxxx) wrote: > I have GSSAPI-login and user mapping to postgres working fine. Great! > Whenever i login to postgres I get a line like the following in the > logfile: > > connection authorized: user=testrole database=testdb SSL enabled > (protocol=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, bits=256, > compression=off) Minor side-note: we have GSSAPI encryption built-in starting with v12, removing the need to also have SSL. > What bothers me, is that i can't see what kerberos prinicpal was used > during authentication. Yeah, I'm afraid that's probably right. In looking, I don't see any particularly easy way. I could have sworn I complained about this ages ago (there might even be a patch somewhere in the depths of -hackers from 5 years ago or more) but clearly it never made it in. One thing that is kind of nice is that with v12 there's a new view where you can view the state of existing connections, including the principal they authenticate with: pg_stat_gssapi. > Is there any way to make postgres log the principal? Would definitely be a good thing for us to have, and the CN for an SSL-based connection. I don't think it'd be hard for someone to hack up a patch to do so. I've added it to my list of "nice to haves" but it seems unlikely I'll get any time in the near future to hack on it, so if someone else wants to work on it, please feel free to do so... Thanks, Stephen
Attachment:
signature.asc
Description: PGP signature