| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Khushboo Vashi <khushboo(dot)vashi(at)enterprisedb(dot)com> |
| Cc: | pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org> |
| Subject: | Re: [pgAdmin4][Patch] - RM 5457 - Kerberos Authentication - Phase 1 |
| Date: | 2021-01-02 15:41:30 |
| Message-ID: | 20210102154130.GO27507@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers |
Greetings,
* Khushboo Vashi (khushboo(dot)vashi(at)enterprisedb(dot)com) wrote:
> Please find the attached patch to support Kerberos Authentication in
> pgAdmin RM 5457.
>
> The patch introduces a new pluggable option for Kerberos authentication,
> using SPNEGO to forward kerberos tickets through a browser which will
> bypass the login page entirely if the Kerberos Authentication succeeds.
I've taken a (very short) look at this as it's certainly something that
I'm interested in and glad to see work is being done on it.
I notice that 'delegated_creds' is being set but it's unclear to me how
they're actually being used (if at all), which is a very important part
of Kerberos.
What's commonly done with mod_auth_kerb/mod_auth_gss is that the
delegated credentials are stored on the filesystem in a temporary
directory and then an environment variable is set to signal to libpq /
the Kerberos libraries that the delegated credentials can be found in
the temporary file. I don't see any of that happening in this patch- is
that already handled in some way? If not, what's the plan for making
that work? Also important is to make sure that this approach will work
for constrainted delegation implementations.
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2021-01-02 15:56:19 | Re: [pgAdmin4][Patch] - RM 5457 - Kerberos Authentication - Phase 1 |
| Previous Message | Aditya Toshniwal | 2021-01-01 11:50:41 | [pgAdmin][RM5282] "Count Rows" option missing from partition sub tables |