From 3d03b24c350ab060bb223623bdff38835bd7afd0 Mon Sep 17 00:00:00 2001
From: Stephen Frost <sfrost@snowman.net>
Date: Sat, 8 Apr 2023 07:21:35 -0400
Subject: Revert "Add support for Kerberos credential delegation"

This reverts commit 3d4fa227bce4294ce1cc214b4a9d3b7caa3f0454.

Per discussion and buildfarm, this depends on APIs that seem to not
be available on at least one platform (NetBSD).  Should be certainly
possible to rework to be optional on that platform if necessary but bit
late for that at this point.

Discussion: https://postgr.es/m/3286097.1680922218@sss.pgh.pa.us
---
 doc/src/sgml/config.sgml       | 17 -----------------
 doc/src/sgml/dblink.sgml       |  5 ++---
 doc/src/sgml/libpq.sgml        | 41 -----------------------------------------
 doc/src/sgml/monitoring.sgml   |  9 ---------
 doc/src/sgml/postgres-fdw.sgml |  7 +++----
 5 files changed, 5 insertions(+), 74 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 091a79d4f36..f81c2045ec4 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1190,23 +1190,6 @@ include_dir 'conf.d'
       </listitem>
      </varlistentry>
 
-     <varlistentry id="guc-gss-accept-deleg" xreflabel="gss_accept_deleg">
-      <term><varname>gss_accept_deleg</varname> (<type>boolean</type>)
-      <indexterm>
-       <primary><varname>gss_accept_deleg</varname> configuration parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        Sets whether GSSAPI delegation should be accepted from the client.
-        The default is <literal>off</literal> meaning credentials from the client will
-        NOT be accepted.  Changing this to <literal>on</literal> will make the server
-        accept credentials delegated to it from the client. This parameter can only be
-        set in the <filename>postgresql.conf</filename> file or on the server command line.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
       <term><varname>db_user_namespace</varname> (<type>boolean</type>)
       <indexterm>
diff --git a/doc/src/sgml/dblink.sgml b/doc/src/sgml/dblink.sgml
index 7d25f24f490..17f9d99b1c7 100644
--- a/doc/src/sgml/dblink.sgml
+++ b/doc/src/sgml/dblink.sgml
@@ -117,9 +117,8 @@ dblink_connect(text connname, text connstr) returns text
 
    <para>
     Only superusers may use <function>dblink_connect</function> to create
-    non-password-authenticated and non-GSSAPI-authenticated connections.
-    If non-superusers need this capability, use
-    <function>dblink_connect_u</function> instead.
+    non-password-authenticated connections.  If non-superusers need this
+    capability, use <function>dblink_connect_u</function> instead.
    </para>
 
    <para>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index b8702284d0b..faa8aa3187e 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -2054,18 +2054,6 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       </listitem>
      </varlistentry>
 
-     <varlistentry id="libpq-connect-gssdeleg" xreflabel="gssdeleg">
-      <term><literal>gssdeleg</literal></term>
-      <listitem>
-       <para>
-        Forward (delegate) GSS credentials to the server.  The default is
-        <literal>disable</literal> which means credentials will not be forwarded
-        to the server.  Set this to <literal>enable</literal> to have
-        credentials forwarded when possible.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry id="libpq-connect-service" xreflabel="service">
       <term><literal>service</literal></term>
       <listitem>
@@ -2727,25 +2715,6 @@ int PQconnectionUsedPassword(const PGconn *conn);
       </para>
      </listitem>
     </varlistentry>
-
-    <varlistentry id="libpq-PQconnectionUsedGSSAPI">
-     <term><function>PQconnectionUsedGSSAPI</function><indexterm><primary>PQconnectionUsedGSSAPI</primary></indexterm></term>
-     <listitem>
-      <para>
-       Returns true (1) if the connection authentication method
-       used GSSAPI. Returns false (0) if not.
-
-<synopsis>
-int PQconnectionUsedGSSAPI(const PGconn *conn);
-</synopsis>
-      </para>
-
-      <para>
-       This function can be applied to detect whether the connection was
-       authenticated with GSSAPI.
-      </para>
-     </listitem>
-    </varlistentry>
    </variablelist>
   </para>
 
@@ -8268,16 +8237,6 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
      </para>
     </listitem>
 
-    <listitem>
-     <para>
-      <indexterm>
-       <primary><envar>PGGSSDELEG</envar></primary>
-      </indexterm>
-      <envar>PGGSSDELEG</envar> behaves the same as the <xref
-      linkend="libpq-connect-gssdeleg"/> connection parameter.
-     </para>
-    </listitem>
-
     <listitem>
      <para>
       <indexterm>
diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml
index e8ab8032674..3f33a1c56c9 100644
--- a/doc/src/sgml/monitoring.sgml
+++ b/doc/src/sgml/monitoring.sgml
@@ -3573,15 +3573,6 @@ SELECT pid, wait_event_type, wait_event FROM pg_stat_activity WHERE wait_event i
        True if GSSAPI encryption is in use on this connection
       </para></entry>
      </row>
-
-     <row>
-      <entry role="catalog_table_entry"><para role="column_definition">
-       <structfield>credentials_delegated</structfield> <type>boolean</type>
-      </para>
-      <para>
-       True if GSSAPI credentials were delegated on this connection.
-      </para></entry>
-     </row>
     </tbody>
    </tgroup>
   </table>
diff --git a/doc/src/sgml/postgres-fdw.sgml b/doc/src/sgml/postgres-fdw.sgml
index 281966f16ff..9e66987cf7f 100644
--- a/doc/src/sgml/postgres-fdw.sgml
+++ b/doc/src/sgml/postgres-fdw.sgml
@@ -169,10 +169,9 @@
     <literal>sslcert</literal> or <literal>sslkey</literal> settings.
    </para>
    <para>
-    Non-superusers may connect to foreign servers using password
-    authentication or with GSSAPI delegated credentials, so specify the
-    <literal>password</literal> option for user mappings belonging to
-    non-superusers where password authentication is required.
+    Only superusers may connect to foreign servers without password
+    authentication, so always specify the <literal>password</literal> option
+    for user mappings belonging to non-superusers.
    </para>
    <para>
     A superuser may override this check on a per-user-mapping basis by setting
-- 
cgit v1.2.3