Re: [pgAdmin4][Patch] - RM 5457 - Kerberos Authentication - Phase 1

FYI, I did a quick test (and browse of PyPI):

- On Windows, it seems there is a binary wheel available:

(gssapi) C:\Users\dpage>pip install gssapi
Collecting gssapi
Downloading gssapi-1.6.12-cp39-cp39-win_amd64.whl (670 kB)
|████████████████████████████████| 670 kB 3.3 MB/s
Collecting decorator
Downloading decorator-4.4.2-py2.py3-none-any.whl (9.2 kB)
Installing collected packages: decorator, gssapi
Successfully installed decorator-4.4.2 gssapi-1.6.12

- On macOS, the wheel is built by pip, but it doesn't seem to have any
additional binary dependencies.

This should simplify things a lot - we just need to ensure the build
scripts use the binary package on Windows, and install the build deps on
the Linux/Docker environments (and update the package builds with the
additional dependencies of course).

On Thu, Jan 14, 2021 at 4:04 PM Dave Page <dpage(at)pgadmin(dot)org> wrote:

> Hi Khushboo,
>
> As you know, this has been rolled back as the buildfarm blew up. I think
> there are a number of TODOs that need to be addressed, given that the
> gssapi Python module is dependent on MIT Kerberos:
>
> In the patch:
>
> - Linux packages will need the additional dependencies to be declared in
> the RPM/DEBs.
> - The setup scripts for Linux will need to have the -dev packages added as
> appropriate.
> - The various READMEs that describe how to build packages will need to be
> updated.
> - The Dockerfile will need to be modified to add the required packages.
> - The Windows build will need to be updated so the installer ships
> additional required DLLs.
> - Are there any additional macOS dependencies? If so, they need to be
> handled.
>
> In the buildfarm:
>
> - All Linux build VMs need to be updated with the additional dependencies.
> - On Windows, we need to figure out how to build/ship KfW. It's a pain to
> build, which we would typically do ourselves to ensure we're consistently
> using the same buildchain. If we do build it ourselves:
> - Will the Python package find it during it's build?
> - We'll need to create a Jenkins job to perform the build.
> - Is any work required on macOS, or does it ship with everything that's
> needed? If not, we'll need to build it, and create the Jenkins job.
>
> One final thought: on Windows/macOS, can we force a binary installation
> from PIP (pip install --only-binary=gssapi gssapi)? If so, will that
> include the required libraries, as psycopg2-binary does?
>
>
> On Thu, Jan 14, 2021 at 8:18 AM Akshay Joshi <
> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>
>> Thanks, patch applied.
>>
>> On Thu, Jan 14, 2021 at 1:42 PM Khushboo Vashi <
>> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>>
>>> Hi,
>>>
>>> Please ignore my previous patch, attached the updated one.
>>>
>>> Thanks,
>>> Khushboo
>>>
>>> On Thu, Jan 14, 2021 at 12:17 PM Khushboo Vashi <
>>> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Please find the attached updated patch.
>>>>
>>>> Thanks,
>>>> Khushboo
>>>>
>>>> On Thu, Jan 14, 2021 at 12:00 PM Akshay Joshi <
>>>> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>>>>
>>>>> Hi Khushboo
>>>>>
>>>>> Seems you have attached the wrong patch. Please send the updated patch.
>>>>>
>>>>> On Wed, Jan 13, 2021 at 2:35 PM Khushboo Vashi <
>>>>> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Please find the attached updated patch.
>>>>>>
>>>>>> Thanks,
>>>>>> Khushboo
>>>>>>
>>>>>> On Fri, Jan 1, 2021 at 1:07 PM Aditya Toshniwal <
>>>>>> aditya(dot)toshniwal(at)enterprisedb(dot)com> wrote:
>>>>>>
>>>>>>> Hi Khushboo,
>>>>>>>
>>>>>>> I've just done the code review. Apart from below, the patch looks
>>>>>>> good to me:
>>>>>>>
>>>>>>> 1) Move the auth source constants -ldap, kerberos out of app object.
>>>>>>> They don't belong there. You can create the constants somewhere else and
>>>>>>> import them.
>>>>>>>
>>>>>>> +app.PGADMIN_LDAP_AUTH_SOURCE = 'ldap'
>>>>>>>
>>>>>>> +app.PGADMIN_KERBEROS_AUTH_SOURCE = 'kerberos'
>>>>>>>
>>>>>>>
>>>>>>> Done
>>>>>>
>>>>>>> 2) Are we going to make kerberos default for wsgi ?
>>>>>>>
>>>>>>> *--- a/web/pgAdmin4.wsgi*
>>>>>>>
>>>>>>> *+++ b/web/pgAdmin4.wsgi*
>>>>>>>
>>>>>>> @@ -24,6 +24,10 @@ builtins.SERVER_MODE = True
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> import config
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> +
>>>>>>>
>>>>>>> +config.AUTHENTICATION_SOURCES = ['kerberos']
>>>>>>>
>>>>>>> +config.KERBEROS_AUTO_CREATE_USER = True
>>>>>>>
>>>>>>> +
>>>>>>>
>>>>>>>
>>>>>>> Removed, it was only for testing.
>>>>>>
>>>>>>> 3) Remove the commented code.
>>>>>>>
>>>>>>> + # if self.form.data['email'] and
>>>>>>> self.form.data['password'] and \
>>>>>>>
>>>>>>> + # source.get_source_name() ==\
>>>>>>>
>>>>>>> + # current_app.PGADMIN_KERBEROS_AUTH_SOURCE:
>>>>>>>
>>>>>>> + # continue
>>>>>>>
>>>>>>>
>>>>>>> Removed the comment, it is actually the part of the code.
>>>>>>
>>>>>>> 4) KERBEROSAuthentication could be KerberosAuthentication
>>>>>>>
>>>>>>> class KERBEROSAuthentication(BaseAuthentication):
>>>>>>>
>>>>>>>
>>>>>>> Done.
>>>>>>
>>>>>>> 5) You can use the constants (ldap, kerberos) you had defined when
>>>>>>> creating a user.
>>>>>>>
>>>>>>> + 'auth_source': 'kerberos'
>>>>>>>
>>>>>>>
>>>>>>> Done.
>>>>>>
>>>>>>> 6) The below URLs belong to the authenticate module. Currently they
>>>>>>> are in the browser module. I would also suggest rephrasing the URL from
>>>>>>> /kerberos_login to /login/kerberos. Same for logout.
>>>>>>>
>>>>>> Done the rephrasing as well as moved to the authentication module.
>>>>>>
>>>>>>
>>>>>>> Also, even though the method GET works, we should use the POST
>>>>>>> method for login and DELETE for logout.
>>>>>>>
>>>>>> Kerberos_login just redirects the page to the actual login, so no
>>>>>> need for the POST method.
>>>>>> I followed the same method for the Logout user we have used for the
>>>>>> normal user.
>>>>>>
>>>>>>
>>>>>>> +(at)blueprint(dot)route("/kerberos_login",
>>>>>>>
>>>>>>> + endpoint="kerberos_login", methods=["GET"])
>>>>>>>
>>>>>>>
>>>>>>> +(at)blueprint(dot)route("/kerberos_logout",
>>>>>>>
>>>>>>> + endpoint="kerberos_logout", methods=["GET"])
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>> On Tue, Dec 22, 2020 at 6:07 PM Akshay Joshi <
>>>>>>> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>>>>>>>
>>>>>>>> Hi Aditya
>>>>>>>>
>>>>>>>> Can you please do the code review?
>>>>>>>>
>>>>>>>> On Tue, Dec 22, 2020 at 3:44 PM Khushboo Vashi <
>>>>>>>> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Please find the attached patch to support Kerberos Authentication
>>>>>>>>> in pgAdmin RM 5457.
>>>>>>>>>
>>>>>>>>> The patch introduces a new pluggable option for Kerberos
>>>>>>>>> authentication, using SPNEGO to forward kerberos tickets through a browser
>>>>>>>>> which will bypass the login page entirely if the Kerberos Authentication
>>>>>>>>> succeeds.
>>>>>>>>>
>>>>>>>>> The complete setup of the Kerberos Server + pgAdmin Server +
>>>>>>>>> Client is documented in a separate file and attached.
>>>>>>>>>
>>>>>>>>> This patch also includes the small fix related to logging #5829
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Khushboo
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> *Thanks & Regards*
>>>>>>>> *Akshay Joshi*
>>>>>>>> *pgAdmin Hacker | Principal Software Architect*
>>>>>>>> *EDB Postgres <http://edbpostgres.com>*
>>>>>>>>
>>>>>>>> *Mobile: +91 976-788-8246*
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Thanks,
>>>>>>> Aditya Toshniwal
>>>>>>> pgAdmin hacker | Sr. Software Engineer | *edbpostgres.com*
>>>>>>> <http://edbpostgres.com>
>>>>>>> "Don't Complain about Heat, Plant a TREE"
>>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> *Thanks & Regards*
>>>>> *Akshay Joshi*
>>>>> *pgAdmin Hacker | Principal Software Architect*
>>>>> *EDB Postgres <http://edbpostgres.com>*
>>>>>
>>>>> *Mobile: +91 976-788-8246*
>>>>>
>>>>
>>
>> --
>> *Thanks & Regards*
>> *Akshay Joshi*
>> *pgAdmin Hacker | Principal Software Architect*
>> *EDB Postgres <http://edbpostgres.com>*
>>
>> *Mobile: +91 976-788-8246*
>>
>
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EDB: http://www.enterprisedb.com
>
>

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com