pgAdmin 4 + python wheel + kerberos

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

pgAdmin 4 + python wheel + kerberos

Duffey, Blake A.

Will pgAdmin 4 as a python wheel application support Kerberos authentication?

 

We are evaluating running pgAdmin 4 as a web service (vs a Windows application) in a shared Citrix environment.   Kerberos auth would make this use case viable.

 

Thanks

Blake

 

 

Reply | Threaded
Open this post in threaded view
|

Re: pgAdmin 4 + python wheel + kerberos

Khushboo Vashi


On Wed, Dec 13, 2017 at 3:05 AM, Duffey, Blake <[hidden email]> wrote:

Will pgAdmin 4 as a python wheel application support Kerberos authentication?

 

We are evaluating running pgAdmin 4 as a web service (vs a Windows application) in a shared Citrix environment.   Kerberos auth would make this use case viable.

 

Kerberos authentication is supported by the underlying libpq, and pgAdmin 4 exposes both the host and hostaddr connection options that are typically used in Kerberos environments.

Thanks

Blake

 

 


Reply | Threaded
Open this post in threaded view
|

Re: pgAdmin 4 + python wheel + kerberos

Stephen Frost
Greetings,

* Khushboo Vashi ([hidden email]) wrote:

> On Wed, Dec 13, 2017 at 3:05 AM, Duffey, Blake <[hidden email]>
> wrote:
>
> > Will pgAdmin 4 as a python wheel application support Kerberos
> > authentication?
> >
> > We are evaluating running pgAdmin 4 as a web service (vs a Windows
> > application) in a shared Citrix environment.   Kerberos auth would make
> > this use case viable.
>
> Ref #1952 <https://redmine.postgresql.org/issues/1952> :
> Kerberos authentication is supported by the underlying libpq, and pgAdmin 4
> exposes both the host and hostaddr connection options that are typically
> used in Kerberos environments.
This does not appear to contemplate Kerberos credential proxying, which
is what is really needed here when talking about running pgAdmin4 as a
web service.

Specifically, pgAdmin4 would need to be able to handline *incoming*
Kerberos authentication requests using SPNEGO and then be able to have
credentials delegated to it which would then allow it to authenticate to
PostgreSQL using Kerberos.

The fact that pgAdmin4 uses libpq to connect to PG does not make
pgAdmin4 support Kerberos as a web service, though it should work for
pgAdmin4 running as a Windows client (assuming it's being run in the
user's application space; if it's being run as a Windows service or
similar then it may not work).

I'd certainly love to see pgAdmin4 as a web service support Kerberos
authentication, with multi-user support and proper ticket delegation and
credential proxying to allow users a seamless experience hitting a
pgAdmin4 web server.

Thanks!

Stephen

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pgAdmin 4 + python wheel + kerberos

Stephen Frost
Greetings,

* Stephen Frost ([hidden email]) wrote:

> * Khushboo Vashi ([hidden email]) wrote:
> > On Wed, Dec 13, 2017 at 3:05 AM, Duffey, Blake <[hidden email]>
> > wrote:
> >
> > > Will pgAdmin 4 as a python wheel application support Kerberos
> > > authentication?
> > >
> > > We are evaluating running pgAdmin 4 as a web service (vs a Windows
> > > application) in a shared Citrix environment.   Kerberos auth would make
> > > this use case viable.
> >
> > Ref #1952 <https://redmine.postgresql.org/issues/1952> :
> > Kerberos authentication is supported by the underlying libpq, and pgAdmin 4
> > exposes both the host and hostaddr connection options that are typically
> > used in Kerberos environments.
>
> This does not appear to contemplate Kerberos credential proxying, which
> is what is really needed here when talking about running pgAdmin4 as a
> web service.
That said, reminding myself that pgAdmin4 can be run under Apache, it
should be possible to have an Apache system set up with mod_auth_kerb
(to handle the incoming Kerberos authentication and the credential
delegation) and have pgAdmin4 pick up on the user as having been
authenticated via Kerberos thanks to environment variables provided by
Apache and, further, be able to connect to a downstream PostgreSQL
database using the delegated credentials thanks to mod_auth_kerb setting
up the KRB5CCACHE environment variable.

I'm not completely sure about the mod_wsgi bit of things or if there's
anything further that would need to be done to make this all work, but
it might not require that much effort if Apache and libpq are able to
handle all of the complexity of Kerberos authentication.  The big
question when it comes to mod_wsgi and the way that works is if the
environment variables are passed through somehow because that's required
to make this work- and, more importantly, the environment variables need
to be per-connection.  It might require some kind of proxying from the
environment variables passed in by Apache to the various processes doing
the work in pgAdmin4 (this clearly must be done already to some extent-
each part of pgAdmin4 knows which *user* is logged in, after all).

In short, Blake, if it were me, I'd probably build out a system which
uses Apache, mod_auth_kerb, and mod_wsgi, and then make sure that
Kerberos is being used to authenticate to Apache, and then set up a
downstream PG server to use gssapi for the auth type from the pgAdmin4
server and see if things don't 'just work'.

I don't think pgAdmin4 currently is able to work with Apache's auth
system and, instead, has its own, so until that's fixed you'd have to
have user accounts for everyone in the pgAdmin4 user management system
that they'd have to use to 'log into' pgAdmin4 after the Kerberos
authentication has been done and they can hit the app itself.  The
question after that is if pgAdmin4 will pick up on the KRB5CCACHE
location for the current session and be able to use it to do GSSAPI
authentication via libpq to PG.

Thanks!

Stephen

signature.asc (836 bytes) Download Attachment