Re: [pgAdmin4][Patch] - RM 6158 - Logging into PostgreSQL servers with Kerberos Authentication

Hi Khushboo

I have applied your patch and started testing it in different
scenarios. Following
are the GUI review comments:

- Update the comments about Kerberos support for AUTHENTICATION_SOURCES
in config.py.
- You will have to create a migration file again. Getting "Error:
Multiple head revisions are present for given argument"
- Increase the height of the server dialog as after adding "Kerberos
Authentication?" switch Connection tab showing scroll bars.
- Desktop/Server mode Getting No such file or directory:
'/var/lib/pgadmin/krbccache'. KERBEROS_CCACHE_DIR should only be created
in Server Mode and AUTHENTICATION_SOURCES is 'kerberos'.
- Server Dialog "Kerberos Authentication?" switch control should be
enabled only in Server Mode and AUTHENTICATION_SOURCES is 'kerberos'.
- "Kerberos Authentication?" switch should be disabled when the server
is connected.
- In Desktop mode AUTHENTICATION_SOURCES must be '*internal*' doesn't
matter what mode is provided in *config.py *or* config_local.py*. In
fact, we should create a flag '*authentication_mode*' which will be set
after the valid authentication source has been detected/connected. *For
example,* the user has provided AUTHENTICATION_SOURCES = ['kerberos',
'internal'], it is unable to connect using kerberos and then the user has
provided a valid email and password so we will set
'*authentication_mode*' to
'internal' and the rest of the logic will be based on that flag.

- Connect to any database server and check backend logs following error
is visible:
- KeyError: 'KRB5CCNAME' *Solution*: It should not call
"kerberos_validate_ticket()" function until AUTHENTICATION_SOURCES is
'kerberos' and Server Mode is true.

*AUTHENTICATION_SOURCES = ['kerberos']:*

- Kerberos is not set up: Open pgAdmin page, enter email and password
two message box popped up one with valid Kerberos error and the second one
with "None" as a string.
- Similarly, if AUTHENTICATION_SOURCES = ['kerberos', 'internal'] and it
is failed to connect using kerberos, then provide an email, and the wrong
password two message boxes popped up one with Kerberos error and another
with Password error.
- In the User Management dialog 'kerberos' should not be visible in the
authentication source dropdown. As there is no point creating kerberos user
from there.
- Add local server(without kerberos) to the browser tree, set "Kerberos
Authentication?" to True, try to connect by providing the password it
always returns "fe_sendauth: no password supplied" error. If possible can
we identify and change the error message?
- Add database server where kerberos authentication is ON, make changes
in pg_hba.conf with the wrong user name, then try to connect to the
database server. The server tries to connect and the spinner is visible and
never stops. It should raise a proper error message. There are some other
scenarios where entries in pg_hba.conf is wrong.
- *Suggestion 1*: As per current implementation even if "Kerberos
Authentication?" is set to false the user can connect to the database
server by providing any password or blank password. It is difficult for the
user to identify it is connected using GSSAPI. I would suggest providing
the control in the properties dialog which tells the database server is
connected using GSSAPI.
- *Suggestion 2*: If it is possible to detect that the database server
is connected using Kerberos then we should disable the 'Username' control
as for Kerberos both the users (pgadmin user and database user ) must be
the same.

*Note:- *pgAdmin on OSX not working with Kerberos authentication. Failed
with error "Your GSSAPI implementation does not have support for
manipulating credential stores directly" Need to document this behavior.

*Code review still remains, which I'll be started after the above fixes.*

On Wed, Apr 14, 2021 at 2:06 PM Khushboo Vashi <
khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:

> Hi,
>
> Please find the attached patch with some minor improvements.
>
> Thanks,
> Khushboo
>
> On Wed, Apr 7, 2021 at 11:50 PM Khushboo Vashi <
> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>
>> Hi,
>>
>> Please find the attached patch for RM 6158: Support Kerberos
>> Authentication - Phase 2.
>> This patch includes the support for logging into PostgreSQL servers with
>> Kerberos authentication.
>>
>> Thanks,
>> Khushboo
>>
>>

--
*Thanks & Regards*
*Akshay Joshi*
*pgAdmin Hacker | Principal Software Architect*
*EDB Postgres <http://edbpostgres.com>*

*Mobile: +91 976-788-8246*