MIME-Version: 1.0
References: 
 <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
 <83bdce65-302f-49ef-828a-3831fe11d904@www.fastmail.com>
 <20191219165719.GC3195@tamriel.snowman.net>
 <02c6c7de-e2e2-48cd-94e7-7d65b7196ca5@www.fastmail.com>
 <20191219173228.GF3195@tamriel.snowman.net>
In-Reply-To: <20191219173228.GF3195@tamriel.snowman.net>
From: Craig Ringer <craig@2ndquadrant.com>
Date: Fri, 20 Dec 2019 11:06:26 +0800
Message-ID: 
 <CAMsr+YHAipW2tH-334ZLcROqx4Q55mB7JZY8CyV0AZMi_yfB2g@mail.gmail.com>
Subject: Re: Can we stop defaulting to 'ident'?
To: Stephen Frost <sfrost@snowman.net>
Cc: James Cassell <fedoraproject@cyberpear.com>,
	PostgreSQL Yum Package List <pgsql-pkg-yum@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="00000000000050334f059a19f7d8"
Precedence: bulk

--00000000000050334f059a19f7d8
Content-Type: text/plain; charset="UTF-8"

On Fri, 20 Dec 2019 at 01:32, Stephen Frost <sfrost@snowman.net> wrote:

> Greetings,
>
> * James Cassell (fedoraproject@cyberpear.com) wrote:
> > Peer does not work with TCP connections, and I haven't figured how to
> get,e.g., third-party Java applications working without TCP.
>
> The entire point of peer was to segregate the very insecure 'ident' from
> the actually quite secure 'peer' auth, so, no, it's not going to work
> over TCP connections- that's more-or-less the point.
>
> Regarding a JDBC connection, you can pass in a "socketFactory", as I
> understand it (though I'm no JDBC expert, I'd suggest you address issues
> you have with that to the JDBC list):
>
> https://jdbc.postgresql.org/documentation/head/connect.html
>

Right. PgJDBC doesn't actually have to support it directly, since you can
pass your own socketFactory, such as one provided by
https://github.com/kohlschutter/junixsocket or
https://github.com/jnr/jnr-unixsocket .

As the Java Language specification does not provide for UNIX socket support
and no widely used JVM bundles AF_UNIX socket support there's no way for
PgJDBC to directly support unix sockets. We could add support for it in
jdbc:postgresql:// URLs, but we'd have to do a runtime search of the
classpath to find a suitable SocketFactory using a list of known unix
socket library implementations ... so why bother? If the user has to
install a 3rd party library to do it anyway, they can specify a JDBC URL
argument too.

So PgJDBC already has everything it needs there IMO, except perhaps a hint
in the documentation. Patches welcome :)

-- 
 Craig Ringer                   http://www.2ndQuadrant.com/
 2ndQuadrant - PostgreSQL Solutions for the Enterprise

--00000000000050334f059a19f7d8
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Fri, 20 Dec 2019 at 01:32, Stephen Fro=
st &lt;<a href=3D"mailto:sfrost@snowman.net">sfrost@snowman.net</a>&gt; wro=
te:<br></div><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pad=
ding-left:1ex">Greetings,<br>
<br>
* James Cassell (<a href=3D"mailto:fedoraproject@cyberpear.com" target=3D"_=
blank">fedoraproject@cyberpear.com</a>) wrote:<br>
&gt; Peer does not work with TCP connections, and I haven&#39;t figured how=
 to get,e.g., third-party Java applications working without TCP.<br>
<br>
The entire point of peer was to segregate the very insecure &#39;ident&#39;=
 from<br>
the actually quite secure &#39;peer&#39; auth, so, no, it&#39;s not going t=
o work<br>
over TCP connections- that&#39;s more-or-less the point.<br>
<br>
Regarding a JDBC connection, you can pass in a &quot;socketFactory&quot;, a=
s I<br>
understand it (though I&#39;m no JDBC expert, I&#39;d suggest you address i=
ssues<br>
you have with that to the JDBC list):<br>
<br>
<a href=3D"https://jdbc.postgresql.org/documentation/head/connect.html" rel=
=3D"noreferrer" target=3D"_blank">https://jdbc.postgresql.org/documentation=
/head/connect.html</a><br></blockquote><div><br></div><div>Right. PgJDBC do=
esn&#39;t actually have to support it directly, since you can pass your own=
 socketFactory, such as one provided by=C2=A0<a href=3D"https://github.com/=
kohlschutter/junixsocket">https://github.com/kohlschutter/junixsocket</a> o=
r=C2=A0<a href=3D"https://github.com/jnr/jnr-unixsocket">https://github.com=
/jnr/jnr-unixsocket</a>=C2=A0.</div><div><br></div><div>As the Java Languag=
e specification does not provide for UNIX socket support and no widely used=
 JVM bundles AF_UNIX socket support there&#39;s no way for PgJDBC to direct=
ly support unix sockets. We could add support for it in jdbc:postgresql:// =
URLs, but we&#39;d have to do a runtime search of the classpath to find a s=
uitable SocketFactory using a list of known unix socket library implementat=
ions ... so why bother? If the user has to install a 3rd party library to d=
o it anyway, they can specify a JDBC URL argument too.</div><div><br></div>=
<div>So PgJDBC already has everything it needs there IMO, except perhaps a =
hint in the documentation. Patches welcome :)</div></div><div><br></div>-- =
<br><div dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr"><div><div d=
ir=3D"ltr"><div><div dir=3D"ltr">=C2=A0Craig Ringer=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 <a href=3D"http://www.2ndQuadrant.com/" target=3D"_blank">http://=
www.2ndQuadrant.com/</a><br>=C2=A02ndQuadrant - PostgreSQL Solutions for th=
e Enterprise<br></div></div></div></div></div></div></div>

--00000000000050334f059a19f7d8--