Re: pgAdmin 4 + python wheel + kerberos

Greetings,

* Khushboo Vashi (khushboo(dot)vashi(at)enterprisedb(dot)com) wrote:
> On Wed, Dec 13, 2017 at 3:05 AM, Duffey, Blake <Blake(dot)Duffey(at)noblis(dot)org>
> wrote:
>
> > Will pgAdmin 4 as a python wheel application support Kerberos
> > authentication?
> >
> > We are evaluating running pgAdmin 4 as a web service (vs a Windows
> > application) in a shared Citrix environment. Kerberos auth would make
> > this use case viable.
>
> Ref #1952 <https://redmine.postgresql.org/issues/1952> :
> Kerberos authentication is supported by the underlying libpq, and pgAdmin 4
> exposes both the host and hostaddr connection options that are typically
> used in Kerberos environments.

This does not appear to contemplate Kerberos credential proxying, which
is what is really needed here when talking about running pgAdmin4 as a
web service.

Specifically, pgAdmin4 would need to be able to handline *incoming*
Kerberos authentication requests using SPNEGO and then be able to have
credentials delegated to it which would then allow it to authenticate to
PostgreSQL using Kerberos.

The fact that pgAdmin4 uses libpq to connect to PG does not make
pgAdmin4 support Kerberos as a web service, though it should work for
pgAdmin4 running as a Windows client (assuming it's being run in the
user's application space; if it's being run as a Windows service or
similar then it may not work).

I'd certainly love to see pgAdmin4 as a web service support Kerberos
authentication, with multi-user support and proper ticket delegation and
credential proxying to allow users a seamless experience hitting a
pgAdmin4 web server.

Thanks!

Stephen