Re: [pgAdmin4][Patch] - RM 5457 - Kerberos Authentication - Phase 1

And another thought...

Some of the Jenkins QA jobs setup the virtual environment for running tests
themselves. I believe these might actually be the cause of some of the
failures we saw initially with the commit - I'll review those, and ensure
they won't try to build the gssapi module from source on Windows.

On Thu, Jan 14, 2021 at 4:34 PM Dave Page <dpage(at)pgadmin(dot)org> wrote:

> FYI, I did a quick test (and browse of PyPI):
>
> - On Windows, it seems there is a binary wheel available:
>
> (gssapi) C:\Users\dpage>pip install gssapi
> Collecting gssapi
> Downloading gssapi-1.6.12-cp39-cp39-win_amd64.whl (670 kB)
> |████████████████████████████████| 670 kB 3.3 MB/s
> Collecting decorator
> Downloading decorator-4.4.2-py2.py3-none-any.whl (9.2 kB)
> Installing collected packages: decorator, gssapi
> Successfully installed decorator-4.4.2 gssapi-1.6.12
>
> - On macOS, the wheel is built by pip, but it doesn't seem to have any
> additional binary dependencies.
>
> This should simplify things a lot - we just need to ensure the build
> scripts use the binary package on Windows, and install the build deps on
> the Linux/Docker environments (and update the package builds with the
> additional dependencies of course).
>
>
> On Thu, Jan 14, 2021 at 4:04 PM Dave Page <dpage(at)pgadmin(dot)org> wrote:
>
>> Hi Khushboo,
>>
>> As you know, this has been rolled back as the buildfarm blew up. I think
>> there are a number of TODOs that need to be addressed, given that the
>> gssapi Python module is dependent on MIT Kerberos:
>>
>> In the patch:
>>
>> - Linux packages will need the additional dependencies to be declared in
>> the RPM/DEBs.
>> - The setup scripts for Linux will need to have the -dev packages added
>> as appropriate.
>> - The various READMEs that describe how to build packages will need to be
>> updated.
>> - The Dockerfile will need to be modified to add the required packages.
>> - The Windows build will need to be updated so the installer ships
>> additional required DLLs.
>> - Are there any additional macOS dependencies? If so, they need to be
>> handled.
>>
>> In the buildfarm:
>>
>> - All Linux build VMs need to be updated with the additional dependencies.
>> - On Windows, we need to figure out how to build/ship KfW. It's a pain to
>> build, which we would typically do ourselves to ensure we're consistently
>> using the same buildchain. If we do build it ourselves:
>> - Will the Python package find it during it's build?
>> - We'll need to create a Jenkins job to perform the build.
>> - Is any work required on macOS, or does it ship with everything that's
>> needed? If not, we'll need to build it, and create the Jenkins job.
>>
>> One final thought: on Windows/macOS, can we force a binary installation
>> from PIP (pip install --only-binary=gssapi gssapi)? If so, will that
>> include the required libraries, as psycopg2-binary does?
>>
>>
>> On Thu, Jan 14, 2021 at 8:18 AM Akshay Joshi <
>> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>>
>>> Thanks, patch applied.
>>>
>>> On Thu, Jan 14, 2021 at 1:42 PM Khushboo Vashi <
>>> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Please ignore my previous patch, attached the updated one.
>>>>
>>>> Thanks,
>>>> Khushboo
>>>>
>>>> On Thu, Jan 14, 2021 at 12:17 PM Khushboo Vashi <
>>>> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Please find the attached updated patch.
>>>>>
>>>>> Thanks,
>>>>> Khushboo
>>>>>
>>>>> On Thu, Jan 14, 2021 at 12:00 PM Akshay Joshi <
>>>>> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>>>>>
>>>>>> Hi Khushboo
>>>>>>
>>>>>> Seems you have attached the wrong patch. Please send the updated
>>>>>> patch.
>>>>>>
>>>>>> On Wed, Jan 13, 2021 at 2:35 PM Khushboo Vashi <
>>>>>> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Please find the attached updated patch.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Khushboo
>>>>>>>
>>>>>>> On Fri, Jan 1, 2021 at 1:07 PM Aditya Toshniwal <
>>>>>>> aditya(dot)toshniwal(at)enterprisedb(dot)com> wrote:
>>>>>>>
>>>>>>>> Hi Khushboo,
>>>>>>>>
>>>>>>>> I've just done the code review. Apart from below, the patch looks
>>>>>>>> good to me:
>>>>>>>>
>>>>>>>> 1) Move the auth source constants -ldap, kerberos out of app
>>>>>>>> object. They don't belong there. You can create the constants
>>>>>>>> somewhere else and import them.
>>>>>>>>
>>>>>>>> +app.PGADMIN_LDAP_AUTH_SOURCE = 'ldap'
>>>>>>>>
>>>>>>>> +app.PGADMIN_KERBEROS_AUTH_SOURCE = 'kerberos'
>>>>>>>>
>>>>>>>>
>>>>>>>> Done
>>>>>>>
>>>>>>>> 2) Are we going to make kerberos default for wsgi ?
>>>>>>>>
>>>>>>>> *--- a/web/pgAdmin4.wsgi*
>>>>>>>>
>>>>>>>> *+++ b/web/pgAdmin4.wsgi*
>>>>>>>>
>>>>>>>> @@ -24,6 +24,10 @@ builtins.SERVER_MODE = True
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> import config
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> +
>>>>>>>>
>>>>>>>> +config.AUTHENTICATION_SOURCES = ['kerberos']
>>>>>>>>
>>>>>>>> +config.KERBEROS_AUTO_CREATE_USER = True
>>>>>>>>
>>>>>>>> +
>>>>>>>>
>>>>>>>>
>>>>>>>> Removed, it was only for testing.
>>>>>>>
>>>>>>>> 3) Remove the commented code.
>>>>>>>>
>>>>>>>> + # if self.form.data['email'] and
>>>>>>>> self.form.data['password'] and \
>>>>>>>>
>>>>>>>> + # source.get_source_name() ==\
>>>>>>>>
>>>>>>>> + # current_app.PGADMIN_KERBEROS_AUTH_SOURCE:
>>>>>>>>
>>>>>>>> + # continue
>>>>>>>>
>>>>>>>>
>>>>>>>> Removed the comment, it is actually the part of the code.
>>>>>>>
>>>>>>>> 4) KERBEROSAuthentication could be KerberosAuthentication
>>>>>>>>
>>>>>>>> class KERBEROSAuthentication(BaseAuthentication):
>>>>>>>>
>>>>>>>>
>>>>>>>> Done.
>>>>>>>
>>>>>>>> 5) You can use the constants (ldap, kerberos) you had defined when
>>>>>>>> creating a user.
>>>>>>>>
>>>>>>>> + 'auth_source': 'kerberos'
>>>>>>>>
>>>>>>>>
>>>>>>>> Done.
>>>>>>>
>>>>>>>> 6) The below URLs belong to the authenticate module. Currently they
>>>>>>>> are in the browser module. I would also suggest rephrasing the URL from
>>>>>>>> /kerberos_login to /login/kerberos. Same for logout.
>>>>>>>>
>>>>>>> Done the rephrasing as well as moved to the authentication module.
>>>>>>>
>>>>>>>
>>>>>>>> Also, even though the method GET works, we should use the POST
>>>>>>>> method for login and DELETE for logout.
>>>>>>>>
>>>>>>> Kerberos_login just redirects the page to the actual login, so no
>>>>>>> need for the POST method.
>>>>>>> I followed the same method for the Logout user we have used for the
>>>>>>> normal user.
>>>>>>>
>>>>>>>
>>>>>>>> +(at)blueprint(dot)route("/kerberos_login",
>>>>>>>>
>>>>>>>> + endpoint="kerberos_login", methods=["GET"])
>>>>>>>>
>>>>>>>>
>>>>>>>> +(at)blueprint(dot)route("/kerberos_logout",
>>>>>>>>
>>>>>>>> + endpoint="kerberos_logout", methods=["GET"])
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>> On Tue, Dec 22, 2020 at 6:07 PM Akshay Joshi <
>>>>>>>> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>>>>>>>>
>>>>>>>>> Hi Aditya
>>>>>>>>>
>>>>>>>>> Can you please do the code review?
>>>>>>>>>
>>>>>>>>> On Tue, Dec 22, 2020 at 3:44 PM Khushboo Vashi <
>>>>>>>>> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> Please find the attached patch to support Kerberos Authentication
>>>>>>>>>> in pgAdmin RM 5457.
>>>>>>>>>>
>>>>>>>>>> The patch introduces a new pluggable option for Kerberos
>>>>>>>>>> authentication, using SPNEGO to forward kerberos tickets through a browser
>>>>>>>>>> which will bypass the login page entirely if the Kerberos Authentication
>>>>>>>>>> succeeds.
>>>>>>>>>>
>>>>>>>>>> The complete setup of the Kerberos Server + pgAdmin Server +
>>>>>>>>>> Client is documented in a separate file and attached.
>>>>>>>>>>
>>>>>>>>>> This patch also includes the small fix related to logging #5829
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Khushboo
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> *Thanks & Regards*
>>>>>>>>> *Akshay Joshi*
>>>>>>>>> *pgAdmin Hacker | Principal Software Architect*
>>>>>>>>> *EDB Postgres <http://edbpostgres.com>*
>>>>>>>>>
>>>>>>>>> *Mobile: +91 976-788-8246*
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Thanks,
>>>>>>>> Aditya Toshniwal
>>>>>>>> pgAdmin hacker | Sr. Software Engineer | *edbpostgres.com*
>>>>>>>> <http://edbpostgres.com>
>>>>>>>> "Don't Complain about Heat, Plant a TREE"
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Thanks & Regards*
>>>>>> *Akshay Joshi*
>>>>>> *pgAdmin Hacker | Principal Software Architect*
>>>>>> *EDB Postgres <http://edbpostgres.com>*
>>>>>>
>>>>>> *Mobile: +91 976-788-8246*
>>>>>>
>>>>>
>>>
>>> --
>>> *Thanks & Regards*
>>> *Akshay Joshi*
>>> *pgAdmin Hacker | Principal Software Architect*
>>> *EDB Postgres <http://edbpostgres.com>*
>>>
>>> *Mobile: +91 976-788-8246*
>>>
>>
>>
>> --
>> Dave Page
>> Blog: http://pgsnake.blogspot.com
>> Twitter: @pgsnake
>>
>> EDB: http://www.enterprisedb.com
>>
>>
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EDB: http://www.enterprisedb.com
>
>

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com